Nmedia - Fotolia

Deloitte breach underlines need for better authentication

A breach of Deloitte’s email system, which may have exposed client details, emphasises the need for two-factor authentication and the monitoring of systems administrators

Cyber attackers have reportedly compromised Deloitte’s global email server through an administrator’s account, giving them unrestricted access to emails and attachments.

The compromised account required only a single password and did not have two-factor authentication (2FA), according to The Guardian.

The attackers may also have been able to access usernames, passwords, IP addresses, architectural diagrams for businesses and health information.

Deloitte’s auditing, tax consultancy and cyber security clients include banks, multinational media enterprises, pharmaceutical firms and government agencies.

Deloitte discovered the breach in March 2017, but it is believed the email system may have been compromised as early as October or November 2016, according to The Guardian.

The breach was regarded as so sensitive that reportedly only a handful of Deloitte’s most senior partners and lawyers were informed.

Deloitte is registered in London and its global headquarters is in New York. The breach is believed to have been US-focused.

The team investigating the breach has been reviewing potentially compromised documents for six months, but the attackers have yet to be identified, according to reports.

Six of Deloitte’s clients have so far been told their information was “impacted” by the breach, according to The Guardian, and a Deloitte spokesperson told Computer Weekly that “very few” clients had been affected.

In response to the breach, the spokesperson said Deloitte had initiated an “intensive and thorough review” that included “mobilising a team of cyber security and confidentiality experts” inside and outside the company, had contacted governmental authorities immediately after it became aware of the incident, and had contacted each of the clients affected.

Deloitte confirmed that the attackers had accessed data from an email platform and that a review of that platform was complete.

Read more about two-factor authentication (2FA)

“Importantly, the review enabled us to understand precisely what information was at risk and what the hacker actually did, and to determine that only very few clients were impacted and that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers,” the spokesperson said.

“Deloitte remains deeply committed to ensuring that its cyber security defences are best in class, investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security.”

Breach after breach

News of the Deloitte breach comes just two weeks after credit monitoring agency Equifax revealed that the personal data of 143 million US consumers and about 400,000 UK consumers had been accessed in a data breach in May.

The Equifax breach was discovered in July, but those potentially affected were notified only in mid-September 2017.

Last week, several small businesses in the US filed a class-action lawsuit against credit rating firm Equifax, representing millions of others affected by the breach of personal data, which included names, dates of birth, email addresses and telephone numbers.

Commenting on the Deloitte breach, Javvad Malik, security advocate at AlienVault, said the incident demonstrated that even the largest of organisations could sometimes overlook fundamental security practices such as not enabling two-factor authentication on administrative accounts.

“It also highlights the importance of ongoing monitoring and threat detection so that any malicious activity can be detected and responded to in a timely manner,” he said.

Prime target for cyber attackers

Tony Pepper, co-founder and CEO of data security and encryption Egress, said Deloitte was a “ripe target” because of the company’s position at the top of the corporate food chain.

“It works with some of the biggest organisations on earth, at the very highest level, which is like a red rag to a bull for hackers,” he said.

According to Pepper, compromised mail servers can be a good source of sensitive information for an attacker, allowing them to siphon off message content and attachments.

“This is why multi-factor access control such as two-factor authentication is important, especially for admins. It makes it much harder to gain illicit access in the first place, and provides a warning if someone is trying to log in without your knowledge,” he said.

If employees’ stored emails were encrypted, which arguably most sensitive content should be, Pepper said it would then be impossible to decrypt each one, even with administrator access.

“However, if they are not [encrypted] and the attacker has enough time on target, hacked mail servers can provide a wealth of information,” he said.

Stop hackers in their tracks

In the light of the Deloitte breach, Sam Curry, chief security officer at Cybereason, urged all corporations to build a hunting practice and to improve their security hygiene.

“Businesses need to improve their ability stop attackers by deploying a strategy where they can disrupt the hackers early in the process by being able to respond, preventing attackers from setting up beachheads and backdoors.

“Of course, garden variety threats need to be detected, but the sophisticated threats need to be found and stopped earlier as well,” he said.

Corporations, said Curry, also need a professional, modern incident response capability, a real strategy for segmentation and good hygiene, and to elevate the way security is managed and operated.

Read more on Hackers and cybercrime prevention