nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Sensitive client emails, usernames, passwords exposed in Deloitte hack

Silver badge
FAIL

If only there was someones advice they could follow.

https://www2.deloitte.com/us/en/pages/risk/topics/cyber-security.html?icid=top_cyber-security

28
0
Bronze badge

Re: If only there was someones advice they could follow.

At that link they write:

"Organisations must remain secure, vigilant, and resilient ..."

Well clearly they failed on the first one.

Seems like taking four months to notice fails them on the second.

For the third, it remains to be seen.

4
0
Anonymous Coward

Well, duh ..

.. if you want to sell yourself as cybersecurity advisers, the absolute first thing you should do is clean your own house because you just painted a nice fat target on your front and back.

The problem is, of course, that fixing your own security is a cost centre exercise, whilst fixing someone else's a (very) profitable revenue stream, so guess what gets priority?

Way to go to damage your own credibility.

24
0
Silver badge

Re: Well, duh ..

Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class,

Depressingly, the continual and dismal parade of breaches at organisations that really should know better suggests that they may well be.

25
0
Silver badge

Yeah, "deeply committed"

Not deeply enough to put the money where their mouth is, though.

Actual security is a nuisance, and it is expensive. Humans don't like nuisances, beancounters don't like expensive. Ergo, security is an uphill battle. Both ways.

14
0
Anonymous Coward

Pocket Money

I can count my kids pocket money, so I guess that makes me good enough to be a financial advisor - NOT.

2
0
Silver badge

This just in

Proper security is an expensive pain in the ass, so very few companies (and people) employ it.

8
0

On the basis that being compromised is inevitable at some point for every organisation, the measure of effectiveness is whether there was a procedure in place for dealing with and mitigating the consequences, and how good that plan turns out to be. It seems that Deloitte have such a plan and time will tell how good it is.

All of that said, having an email admin account without 2fa seems to be a bit of a schoolboy error by any measure. We had a really good fire drill in place but neglected to fix the leaky gas pipes in the basement.

7
0
Anonymous Coward

On the basis that being compromised is inevitable at some point for every organisation, the measure of effectiveness is whether there was a procedure in place for dealing with and mitigating the consequences, and how good that plan turns out to be.

I agree 100%.

It seems that Deloitte have such a plan and time will tell how good it is.

I disagree. Probably 100%.

It took them 4+ months to detect. Five months later they are still investigating. They never took control of the message to the public, it was leaked by a newspaper. They aren't managing the PR spin, they are being spun.

None of this implies they had any functional "Cyber Readiness" in place and I suspect their crisis response isn't very well oiled other than "keep quiet and hope no one else notices."

0
0
Silver badge
Mushroom

As the bowl of petunias said .....

..... Oh, no, not again.

Methinks it might even be safer to send one's personal data through the post on the back of a postcard than trust the security of some big name cowboys ....

In the cloud, you say? well, I'm sure that the relevant three and four letter agencies will keep their copies of your data safe .... ?

5
0
Anonymous Coward

Re: As the bowl of petunias said .....

Problem is - the TLA's will have scans of all paper mail from the sorting machines, they OCR it, then put all that juicy data neatly-like in databases, outsourced to the lowest bidder probably located in a place where "we" are "at war with terror" and operated by smart "axis of evil people" or plonkers.

Those databases are then splurged onto to internet.

0
0
Anonymous Coward

The thankless task of DBS

Blame the consulting model that charges each client to reinvent the wheel before starting any real work. Given that the Deloitte Business Security Team appear to be the those that drew the short straws on the 'bench' that month with no formal training and no formal contacts with Microsoft I'm surprised there are not more public security breaches.

Do you have a client account to charge internal MFA to? No? Computer says No to your security request then...

7
0
Silver badge

one of the world's "big four" accountancy firms

...and yet they can't afford the extra security protection of running their own mail server?

I wonder how much they pay MS Azure to host it and the cost of the reputation damage/compensation compared to running their own systems?

Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class,

How can they claim that when they put their data and systems on someone else's servers where, by definition, they have less control over the security?

5
0
Silver badge

Re: one of the world's "big four" accountancy firms

I wonder how much they pay MS Azure to host it and the cost of the reputation damage/compensation compared to running their own systems?

I notice that the article refers to Azure and not Office 365; which suggests that Deloitte were running their own systems in Azure rather than just paying MS to do the lot.

3
1
Anonymous Coward

Re: one of the world's "big four" accountancy firms

I happen to know that another of the big 4 is aggressively moving their systems to Azure and have their email systems hosted on O365 EXCEPT where individual country practices have said they won't allow it eg. Germany, Switzerland

The interconnects are still in O365 though

1
0
Silver badge

Re: one of the world's "big four" accountancy firms

and yet they can't afford the extra security protection of running their own mail server?

Oh, they can; they just choose not to.

0
0
Silver badge
Trollface

If they visit again

I'll have to remember this little gem when they start poking around.

4
0
Anonymous Coward

Re: If they visit again

I'm considering making a movie style poster for my wall of this incident. Plenty of good quotes you can throw in there from Deloittes..

0
0
Anonymous Coward

Lessons remain unlearned

Do organisations in other parts of the world suffer security breaches on this scale? Perhaps they're more sensible and restrict sensitive data to their internal networks.

I'm sure there's a hostile agency or two somewhere collecting all the leaked data and mining it for future cyber offensives.

0
0
Silver badge
Facepalm

Security and two-factor authentication ..

"Hackers gained access to Deloitte's email system through an administrative account that was not secured using two-factor authentication"

How did they get the administrative account password, not that two-factor authentication would have protected them.

4
0
Anonymous Coward

Re: Security and two-factor authentication ..

From my time in large companies they tend to have at least one generic style admin account for systems with no 2FA which is given to contractors when they rock up. That password is rarely changed when the contractor leaves and if the account isn't disabled..

1
0
Bronze badge
Pint

Re: Security and two-factor authentication ..

Well Spotted, that Dick!

The phrase " ... that was not secured using two-factor authentication ... " is the spin-doctored diversion of attention away from the Issue: That someone got the admin account.

1
0

MS cloud services do not have two-factor auth?

Once working on US government project I found that MS Dynamics for Government cloud service does not have two factor authentication which was government requirement. The project went on anyway. Deloitte also used MS stuff and very likely was not able to secure by two-factor as it does not exist in MS set of cloud security. You get what you get..

0
0
Anonymous Coward

Re: MS cloud services do not have two-factor auth?

MS cloud shiz does allow 2FA.

0
0

surely....

....that part of their business is now dead

"a range of cybersecurity services to banks"

No one is going to hire them for that now.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing