The Deloitte data breach that compromised the confidential emails and plans of some of its clients affected Federal agencies.
Deloitte serves clients in finance, media, and government, which all had data in the breached email system. The affected organizations include major companies and U.S. government departments.
The breach was focused on U.S. organizations and the hackers could have accessed usernames, passwords, IP addresses, and architectural diagrams for businesses and health information. Some of the obtained emails included sensitive security information and design details, The Guardian reported.
Deloitte is conducting an internal investigation to map out where the hackers went by analyzing the trail of the electronic searches.
Deloitte discovered the hack in March, but the hackers may have had access to its systems since October or November 2016, which increases the debate about reasonable notification of those affected by breaches.
“Above all, professional hackers want to compromise strategic sites that yield exponential rewards,” said Kenneth Geers, senior research scientist at Comodo and former National Security Agency analyst. “In a hack of this scale, criminals or spies will continue to reap dividends years down the road. The attack has gone on for at least six months, so the hackers may have been able to cover their tracks and/or install backdoors for future use.”
This attack is reminiscent of the recent Equifax breach. It was revealed Sept. 18 that Equifax had experienced another data breach in March and failed to disclose it until after the most recent breach in July, affecting about 143 million users. Rep. Ted Lieu, D-Calif., said that it was “disturbing” that Equifax took six weeks to inform users that their data had been breached in July.
Comodo Intelligence Labs found that Equifax executives’ passwords were available for sale on the Dark Web. In Deloitte’s case, the administrator’s accounts didn’t include multifactor authentication.
“An Admin username and password to a global email server is like a digital Swiss Army knife to corporate and client secrets,” Geers said. “It is inexcusable for such an admin account not to have two-factor authentication. Only a foreign intelligence service could successfully absorb this much information; a cybercriminal group will have to sell the data so it can be repurposed. If the attack were primarily U.S.-focused, it could be that a foreign intelligence service was responsible. The irony is that Deloitte must have a first-class cybersecurity staff–and yet still was hacked.”