Deloitte, one of the world’s biggest accounting, auditing, and corporate finance consulting firms, has suffered a data breach.
The breach, according to a UK newspaper citing an inside source, took place in around October or November 2016 but was not detected until after six months, in March 2017.
The hackers allegedly broke in after managing to take over one of the email server admin accounts. The hack was facilitated because the admin user did not use two-factor authentication for the account.
“In a hack of this scale, criminals or spies will continue to reap dividends years down the road,” Kenneth Geers, senior research scientist at Comodo told Bleeping Computer via email.
“The attack has gone on for at least six months, so the hackers may have been able to cover their tracks and/or install backdoors for future use,” Geers added. “An admin username and password to a global email server is like a digital Swiss Army knife to corporate and client secrets. It is inexcusable for such an admin account not to have two-factor authentication.”
Hackers accessed customer information, confidential emails
Over 244,000 Deloitte employees were using the email server. The company started an investigation into the hack but had never gone public with what happened.
The Guardian reported that hackers might have gotten their hands on confidential emails, IP addresses, business plans, architectural diagrams, and health information. Some email file attachments also contained usernames and passwords belonging to US companies and governmental agencies that had contracts with Deloitte.
A Deloitte spokesperson admitted to the security breach earlier today, after the news broke, but declined to confirm what the hacker stole.
Deloitte is said to be still investigating what areas of its networks hackers managed to access.
Investigative reporter Brian Krebs claims the company is playing down the severity of the breach.
Third hack at a financial institution this month
The company is one of the so-called “Big Four” accounting firms, together with Ernst & Young, KPMG, and PricewaterhouseCoopers. The Big Four provide accounting and other financial services to almost all major businesses across the globe.
The Deloitte hack is the third security breach at a major financial agency this month alone, after similar incidents at Equifax and the US Securities and Exchange Commission (SEC).