Blue chips are down as Deloitte hit by cyberattack
Yet again, another fintech firm has been hit by a cyberattack. This time it’s Deloitte’s turn – with confidential emails and plans of some of its blue-chip clients compromised, according to the Guardian.
The cybersecurity attack went unnoticed for months and the Guardian says it understands that Deloitte clients across all of its sectors – which includes banking and, ironically, cybersecurity advice – had material in the company email system that was breached. The companies include household names as well as US government departments.
So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.
The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.
The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”. The account required only a single password and did not have ”two-step“ verification, sources told the newspaper.
Emails to and from Deloitte’s 244,000 staff were stored in Microsoft’s Azure cloud service.
In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.
The breach is believed to have been US-focused and was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.
A measure of Deloitte’s concern came on 27 April when it hired the US law firm Hogan Lovells on “special assignment” to review what it called “a possible cybersecurity incident”.
Responding to questions from the Guardian, Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been “impacted”. It would not be drawn on how many of its clients had data made potentially vulnerable by the breach.
Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.
Earlier this month, Equifax was hit by a data breach, which compromised personal data of 143 million US consumers. The fallout from that event has been far reaching.