Deloitte Breach: Simple Oversight, Major Consequences

One of the world’s most notable accountancy firms offering cyber security solutions and strategy fell victim to a data breach in 2016, and news broke of the event this week.

Deloitte, a consulting firm that offers solutions in audit and assurance, consulting, risk and financial advisory and other related services boasts a worldwide employee base of some 245,000 workers in 150 countries.

The Guardian broke the news Monday, but details continued to trickle out as each hour passed, and as with any high-profile breach, information became worse with each headline.

According to various published reports, the breach included the exposure of usernames, passwords, and personal data of the firm’s “blue-chip” clients. The breach allegedly occurred in the fall of 2016, and found entry by way of company office in Nashville, Tennessee.

Enterprise Mobility Exchange’s request for comment from Deloitte’s media team was not returned.

“If this is true, it goes to show that no one is immune,” said ESG Principal Analyst Jon Oltsik. “It seems like Deloitte should have done a better job protecting these assets … so I am really not sure if it was neglect, human error, or a highly sophisticated hack. If I were a customer of Deloitte, I’d be very worried.”

What makes the breach tougher to swallow than previous large-scale attacks is that Deloitte has its own cyber security solutions and offerings for its clients. Deloitte’s Cyber Intelligence Centre says:

“Deloitte’s Cyber Intelligence Center integrates state-of-the-art technology with industry insight to provide round-the-clock business-focused operational security. With 24x7 coverage, we monitor and assess the threats specific to your organization, enabling you to swiftly and effectively mitigate risk and strengthen your cyber resilience. Going beyond the technical feeds, our professionals are able to contextualize the relevant threats, helping determine the risk to your business, your customers and your stakeholders.”

And that’s where a breach of this kind takes a turn, compared to previous attacks. Credit monitoring agency Equifax recently announced 143 million of its users’ information was compromised due to not properly patching gaps in its system. But Equifax wasn’t offering cyber security solutions, either.

“Deloitte will suffer greatly from reputational harm and I suspect a loss in customer confidence,” said Rizwan Jan, CISO for the Henry M. Jackson Foundation. “An administrative account was leveraged to gain access to Deloitte’s email system. This again sheds light on the importance of privileged ID management. The lack of two-factor authentication was an additional control that was missing as well. A rather simple solution to implement, two-factor authentication adds an extra layer of protection that most companies overlook because of the mindset of ‘we won’t be targeted,’ or ‘it won’t be me.’ It will be important now of how Deloitte responds to the breach as full transparency is important.

“The Equifax breach serves as a great reminder of what not to do,” Jan continued.

The Guardian also reported that Deloitte’s entire staff email client was stored in the Azure cloud service provided by Microsoft, and that the company hired Hogan Lovells, a U.S-based law firm, on special assignment back in April of this year.

"The data breaches for Deloitte, Equifax, or Uber can prove to be catastrophic, but it hasn’t always done so,” said Jamal Hartenstein, Data Privacy & Cyber Security Lawyer with CalPERS. “Uber agreed to the 20-year engagement with the FTC (although their other options might have left Uber with little negotiation power). ‘Pay now or pay more later’ is a saying that lawyers use in settlement negotiations and it’s a saying applicable to breach protection now. Deloitte is a global company that consults many large enterprises on cybersecurity itself, so some would say they did not drink their own Kool-Aid. But that might not be the case; any cybersecurity consultant, expert witness or attorney will say that no company is breach-proof. This situation with Deloitte makes them a martyr for their own slogan. Because what Deloitte preaches has been proven true, on themselves, this suggests that federal oversight might become an answer, whether we like that solution or not.”

To read more from Enterprise Mobility Exchange, sign up for our weekly newsletter here