U.S. Government Agencies Exposed In Deloitte Breach

The hack that thrust accountancy firm Deloitte into the spotlight last month is rearing much uglier details than were originally released.

In a new report this week released by The Guardian – the publication that broke the initial story – sources say the breach was much wider than what the company previously stated, and that the emails of some 350 clients were exposed. Those clients reportedly include four United States Government departments, the United Nations, and other multinational organizations.

The attack allegedly hit a server hosting emails for:

  • The US departments of state, energy, homeland security, and defense
  • The United States Postal Service
  • The National Institutes of Health
  • Mortgage companies Fannie Mae and Freddie Mac

Deloitte is a consulting firm that offers solutions in audit and assurance, consulting, risk and financial advisory and other related services boasts a worldwide employee base of some 245,000 workers in 150 countries. Initially, Deloitte said just six clients were impacted by the breach, but new details clearly state that is not the case.

"The data breaches for Deloitte, Equifax, or Uber can prove to be catastrophic, but it hasn’t always done so,” said Jamal Hartenstein, Data Privacy & Cyber Security Lawyer with CalPERS. “Uber agreed to the 20-year engagement with the FTC (although their other options might have left Uber with little negotiation power). ‘Pay now or pay more later’ is a saying that lawyers use in settlement negotiations and it’s a saying applicable to breach protection now. Deloitte is a global company that consults many large enterprises on cybersecurity itself, so some would say they did not drink their own Kool-Aid. But that might not be the case; any cybersecurity consultant, expert witness or attorney will say that no company is breach-proof. This situation with Deloitte makes them a martyr for their own slogan. Because what Deloitte preaches has been proven true, on themselves, this suggests that federal oversight might become an answer, whether we like that solution or not.”

While Deloitte’s breach is a stunner, it’s certainly not the first large-scale hack this year, nor will it be the last. In the last six months alone, companies like Equifax and Maersk fell victim to high profile breaches that affected hundreds of millions of users and severely impacted their profit margins.

For Maersk, which was hit by the NotPetya cyber attack last spring, announced its Q3 results would be hit and expected to lose between $200 and $300 million as a result. Equifax said it makes cybersecurity a daily priority, but this incident clearly broke down the walls of whatever measures were put in place.

“This is another object lesson in how hard it is to keep large data stores secure,” said Nathaniel Gleicher, Former Director of Cybersecurity Policy for the White House and current Head of Cybersecurity Strategy for Illumio. “Even large organizations struggle, because it’s far too easy for intruders to slip across the perimeter and then bide their time inside compromised networks until they can get to the most valuable data. If we want to stop breaches like this, we have to get much better at stopping lateral movement within compromised networks.”

To read more from Enterprise Mobility Exchange, sign up for our weekly newsletter here