A bombshell report on Monday revealed that Deloitte was hit by a major cyber attack that compromised its email system and certain client records. The news is a major black eye for one of the world’s “big four” accountancy and consulting firms—especially since a major part of Deloitte’s business is selling cyber security.
The full extent of the hacking episode isn’t clear, but details are beginning to trickle out, including from Brian Krebs, a well-respected security journalist who says he has heard from sources close to the Deloitte. Here’s a Q&A about we know and don’t know about the latest high profile security attack.
What did the hackers steal?
The initial report of the Deloitte breach came from the Guardian, which revealed hackers had compromised the “confidential emails and plans of some of its blue-chip clients.” In response, the firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.”
Krebs, however, cites sources close to Deloitte who suggest the hack was likely more severe than that. The sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts. Worse, it appears the hackers transferred or copied a significant amount of that confidential data:
This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.
Meanwhile, Krebs’ sources say Deloitte has yet to identify the full pervasiveness of the attack.
What companies are affected?
Deloitte has only said it notified six companies and some government agencies, but it has not identified them. The Guardian adds that those companies are household names, but likewise doesn’t provide further details.
A firm like Deloitte advises giant multinationals in sectors like finance, pharma, and media, so the length of potential victims is long. It’s also possible the list of actual victims will come to number more than six—especially if Deloitte has yet to get to the bottom of the hack.
How bad is this?
For Deloitte, it’s very bad. The reputation of company’s cyber-security consulting business will take a hit, and not just because it got breached. If details in the Guardian’s report are true, Deloitte failed to deploy elementary security measures such as requiring two-factor authentication. The firm also appears to have guarded large pools of data with a single password.
For Deloitte’s clients, the extent of the harm is less clear. If hackers indeed got hold of all of Deloitte’s emails, those messages may have revealed their client’s secret corporate strategies or sensitive intellectual property. Meanwhile, all of those email addresses would provide crooks with ample opportunities for spear-phishing scams targeted at top executives.
Who are the hackers?
No one has claimed responsibility, but the nature of the attacks suggest the hackers were commercially motivated, and seeking confidential information to sell or use for insider trading. This fits the pattern of Russian criminal gangs who plot jobs in secret Internet forums, as well as hackers sponsored by the Chinese government—as Fortune reported last year, China was behind a series of infiltrations targeting white shoe law firms and their clients.
When will we know more?
Reports suggests Deloitte knew something was amiss as long ago as last October so the firm almost certainly knows more than it is disclosing. In response to the Guardian’s report, the company issued a statement but has yet to address the additional details described by Krebs.
Look for more information to trickle out in coming days from the company, but also in the form of leaks from the security community and beyond.