back to article Sensitive client emails, usernames, passwords exposed in Deloitte hack

Deloitte, one of the world's "big four" accountancy firms, has fallen victim to a cyberattack that exposed sensitive emails to hackers. The IT security breach dates back to November 2016 but was only discovered in March this year, according to The Guardian, which broke the news in an exclusive on Monday. Deloitte has …

  1. Anonymous Coward
    FAIL

    If only there was someones advice they could follow.

    https://www2.deloitte.com/us/en/pages/risk/topics/cyber-security.html?icid=top_cyber-security

    1. sitta_europea Silver badge

      Re: If only there was someones advice they could follow.

      At that link they write:

      "Organisations must remain secure, vigilant, and resilient ..."

      Well clearly they failed on the first one.

      Seems like taking four months to notice fails them on the second.

      For the third, it remains to be seen.

  2. Anonymous Coward
    Anonymous Coward

    Well, duh ..

    .. if you want to sell yourself as cybersecurity advisers, the absolute first thing you should do is clean your own house because you just painted a nice fat target on your front and back.

    The problem is, of course, that fixing your own security is a cost centre exercise, whilst fixing someone else's a (very) profitable revenue stream, so guess what gets priority?

    Way to go to damage your own credibility.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well, duh ..

      Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class,

      Depressingly, the continual and dismal parade of breaches at organisations that really should know better suggests that they may well be.

      1. Pascal Monett Silver badge

        Yeah, "deeply committed"

        Not deeply enough to put the money where their mouth is, though.

        Actual security is a nuisance, and it is expensive. Humans don't like nuisances, beancounters don't like expensive. Ergo, security is an uphill battle. Both ways.

  3. Anonymous Coward
    Anonymous Coward

    Pocket Money

    I can count my kids pocket money, so I guess that makes me good enough to be a financial advisor - NOT.

  4. fidodogbreath

    This just in

    Proper security is an expensive pain in the ass, so very few companies (and people) employ it.

  5. Dr Who

    On the basis that being compromised is inevitable at some point for every organisation, the measure of effectiveness is whether there was a procedure in place for dealing with and mitigating the consequences, and how good that plan turns out to be. It seems that Deloitte have such a plan and time will tell how good it is.

    All of that said, having an email admin account without 2fa seems to be a bit of a schoolboy error by any measure. We had a really good fire drill in place but neglected to fix the leaky gas pipes in the basement.

    1. Anonymous Coward
      Anonymous Coward

      On the basis that being compromised is inevitable at some point for every organisation, the measure of effectiveness is whether there was a procedure in place for dealing with and mitigating the consequences, and how good that plan turns out to be.

      I agree 100%.

      It seems that Deloitte have such a plan and time will tell how good it is.

      I disagree. Probably 100%.

      It took them 4+ months to detect. Five months later they are still investigating. They never took control of the message to the public, it was leaked by a newspaper. They aren't managing the PR spin, they are being spun.

      None of this implies they had any functional "Cyber Readiness" in place and I suspect their crisis response isn't very well oiled other than "keep quiet and hope no one else notices."

  6. PNGuinn
    Mushroom

    As the bowl of petunias said .....

    ..... Oh, no, not again.

    Methinks it might even be safer to send one's personal data through the post on the back of a postcard than trust the security of some big name cowboys ....

    In the cloud, you say? well, I'm sure that the relevant three and four letter agencies will keep their copies of your data safe .... ?

    1. Anonymous Coward
      Anonymous Coward

      Re: As the bowl of petunias said .....

      Problem is - the TLA's will have scans of all paper mail from the sorting machines, they OCR it, then put all that juicy data neatly-like in databases, outsourced to the lowest bidder probably located in a place where "we" are "at war with terror" and operated by smart "axis of evil people" or plonkers.

      Those databases are then splurged onto to internet.

  7. Anonymous Coward
    Anonymous Coward

    The thankless task of DBS

    Blame the consulting model that charges each client to reinvent the wheel before starting any real work. Given that the Deloitte Business Security Team appear to be the those that drew the short straws on the 'bench' that month with no formal training and no formal contacts with Microsoft I'm surprised there are not more public security breaches.

    Do you have a client account to charge internal MFA to? No? Computer says No to your security request then...

  8. John Brown (no body) Silver badge

    one of the world's "big four" accountancy firms

    ...and yet they can't afford the extra security protection of running their own mail server?

    I wonder how much they pay MS Azure to host it and the cost of the reputation damage/compensation compared to running their own systems?

    Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class,

    How can they claim that when they put their data and systems on someone else's servers where, by definition, they have less control over the security?

    1. Korev Silver badge

      Re: one of the world's "big four" accountancy firms

      I wonder how much they pay MS Azure to host it and the cost of the reputation damage/compensation compared to running their own systems?

      I notice that the article refers to Azure and not Office 365; which suggests that Deloitte were running their own systems in Azure rather than just paying MS to do the lot.

    2. Anonymous Coward
      Anonymous Coward

      Re: one of the world's "big four" accountancy firms

      I happen to know that another of the big 4 is aggressively moving their systems to Azure and have their email systems hosted on O365 EXCEPT where individual country practices have said they won't allow it eg. Germany, Switzerland

      The interconnects are still in O365 though

    3. fidodogbreath

      Re: one of the world's "big four" accountancy firms

      and yet they can't afford the extra security protection of running their own mail server?

      Oh, they can; they just choose not to.

  9. chivo243 Silver badge
    Trollface

    If they visit again

    I'll have to remember this little gem when they start poking around.

    1. Anonymous Coward
      Anonymous Coward

      Re: If they visit again

      I'm considering making a movie style poster for my wall of this incident. Plenty of good quotes you can throw in there from Deloittes..

  10. Anonymous Coward
    Anonymous Coward

    Lessons remain unlearned

    Do organisations in other parts of the world suffer security breaches on this scale? Perhaps they're more sensible and restrict sensitive data to their internal networks.

    I'm sure there's a hostile agency or two somewhere collecting all the leaked data and mining it for future cyber offensives.

  11. Anonymous Coward
    Facepalm

    Security and two-factor authentication ..

    "Hackers gained access to Deloitte's email system through an administrative account that was not secured using two-factor authentication"

    How did they get the administrative account password, not that two-factor authentication would have protected them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security and two-factor authentication ..

      From my time in large companies they tend to have at least one generic style admin account for systems with no 2FA which is given to contractors when they rock up. That password is rarely changed when the contractor leaves and if the account isn't disabled..

    2. fajensen
      Pint

      Re: Security and two-factor authentication ..

      Well Spotted, that Dick!

      The phrase " ... that was not secured using two-factor authentication ... " is the spin-doctored diversion of attention away from the Issue: That someone got the admin account.

  12. mutin

    MS cloud services do not have two-factor auth?

    Once working on US government project I found that MS Dynamics for Government cloud service does not have two factor authentication which was government requirement. The project went on anyway. Deloitte also used MS stuff and very likely was not able to secure by two-factor as it does not exist in MS set of cloud security. You get what you get..

    1. Anonymous Coward
      Anonymous Coward

      Re: MS cloud services do not have two-factor auth?

      MS cloud shiz does allow 2FA.

  13. steviebuk Silver badge

    surely....

    ....that part of their business is now dead

    "a range of cybersecurity services to banks"

    No one is going to hire them for that now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like