After it was reported that two of the big-three consumer credit agencies including Equifax and Experian were hit by a major security breach, now reports have surfaced that one of the big-four accountancy firms, Deloitte, was breached last year, affecting all of its data.
The Deloitte hack compromised usernames, passwords and personal details of the firm’s employees as well as some of its ‘blue-chip’ clients, according to The Guardian’s report.
The report also mentioned that the company had been aware of the breach in their network March 2017. Deloitte remained uncertain of the level of breach and for how long the intruders had access to their data.
The extent of damage by the breach was confirmed by an anonymous source to security expert Brian Kreb, who also revealed that the security breach actually happened in fall of 2016.
The unnamed source told KrebsonSecurity, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”
One of four biggest accountancy firms, Deloitte’s services include auditing, tax consultancy, and cyber security advice. Its client list includes several government agencies, pharmaceutical firms, multinational companies, media entities and some big banks too.
None of the accounts breached had a two-step verification system in place, rather just relied on a single password for security.
It has been reported that emails to and from all of the 244,000 Deloitte employees, which were stored in Microsoft’s Azure cloud service, were accessible to the attackers — who are still unidentified.
Deloitte maintained that ‘very few clients’ had been impacted by the breach and all of them were contacted by the company as soon as the breach was discovered.
But the fact remains that it took several months for Deloitte to discover the intrusion and several more months to come clean about the entire incident — that too after the Guardian reported the incident.
Given the current predicament faced by big companies such as Equifax, Experian and now Deloitte, which are responsible for a trove of personal and financial information about their clientele, it goes without saying that a stronger and more efficient security framework needs to be in place.
More so, there is a need for accountability in case of such breaches instead of beating around the bush because at the end of the day, it’s the customer’s data that has been affected, which is much more catastrophic than a brand name getting tarnished.