Select Page

After the huge Equifax breach that exposed 143 million people within 25 countries, with the break-in traced back to July (and some say it was as early as March) and was only announced to the public just this September 7th, Deloitte has something much bigger to reveal…

One of the largest consulting firms was allegedly attacked back in March and only owned up to the danger, to the public, media and its clients this week.  As one of United States’ most influential firms providing auditing, tax consultancy, and high-end cybersecurity advice to some of the world’s largest banks, business empires, multinational companies, media enterprises, pharmaceutical firms and government – Deloitte generated $37 Billion revenue back in 2016. Deloitte’s outstanding income for the Audit and Enterprise Risk Services account for 6.5% and another 6.0% for consulting, was all but demolished by an intrusion within the firm’s email system.

Its clients from a plethora of sectors have had their information accessed remotely, including household names and US government departments. Deloitte reportedly told only six clients their information was part of the breach, and the company’s internal investigation has been rolling. Speculations have revealed that the Deloitte siege commenced last March, but more and more hypothesize that the attackers might’ve penetrated the system as early as October last year.

Hackers accomplished this intrusion by gaining access to an administrator account with the inadequate security of anything resembling a two-factor authentication. All of these are hosted on Microsoft’s Azure cloud service and is vulnerable to exposing a multitude of client data from passwords, IP addresses, domain credentials, insurance details, and health information.

What’s more questionable is Deloitte’s way of rectifying, or should I say, concealing the issue. Deloitte decided to inform only a few partners and legal staff within the firm, and the six customers who have been affected by the breach. With 84,940 professionals employed in the US, most of the Deloitte employees have no clue what a huge quagmire has taken place.

This decision might’ve crumpled Deloitte to public damnation because most US states and territories possess security breach notification laws mandating that firms promptly alert clients when cyber attacks occur. Deloitte could’ve been into a conundrum if these uninformed client companies had been adversely affected by the hack, as these provisions require that firms experiencing cyber siege should report the incident “in the most expedient time possible” and “without unreasonable delay.”

In this case, with Deloitte only informing everyone else after six months- is a massive ambiguous and absurd act which includes severe penalties if in case other clients are caught within the hacking manifesto.Deloitte obstinately refused to name the government authorities and regulators it had informed or whether they have taken a course of action to approach law enforcement agencies.

The firm is now doing the investigation to the best of their power in collaboration with the security specialists they’ve engaged, permitting them to pinpoint all the data manipulation that took place.  Deloitte’s cyber-sleuthing capabilities are held in question at this very time, considering that they’ve been hiding the breach and haven’t revealed any of their strategies to rectify the problem.

Companies pledge to serve the good of their customers and safely keep their data.

If their negligence and unacceptable security standards allowed hackers to attack their system, they should have had the backbone to inform their customers promptly.

Weekly Security Update Subscription

Weekly Security Update Subscription

If you use a computer, you need up-to-date security information. Craig has been providing eSecurity consulting for more than 20 years, and now runs the FBI's InfraGard webinars. There isn't a better source to keep you up-to-date with the latest, most important tips and warnings to keep your computers and network safe.

Join the hundreds of thousands of people who get the most important weekly eSecurity information from Craig every month. It's free, it's easy and I never SPAM.

Keep an eye on your email box every Saturday morning around 9 am Eastern Time for your weekly newsletter. Add me@craigpeterson.com to your whitelist if it doesn't show up.