Sources say Deloitte cyberattack may have impacted US government

10 Oct 2017

Deloitte. Image: 360b/Shutterstock 

The recent cyberattack on Deloitte was disclosed in September.

The Deloitte cyberattack shocked the world last month, and further details have been thin on the ground until today (10 October).

A report published by The Guardian said that 350 clients are estimated to have been hacked by the attackers, including multinationals, the United Nations and four US government departments.

There are more than 30 blue-chip companies mentioned in the dossier obtained by The Guardian. Clients that were made vulnerable include the US departments of state, energy, defence and homeland security as well as the National Institutes of Health in the US, the US Postal Service, and Fannie Mae and Freddie Mac (mortgage funders and guarantors).

At the time, Deloitte denied that any of the clients mentioned were “impacted” by the cyberattack. This is disputed by sources close to The Guardian who said that Deloitte cannot be 100pc sure about what exactly had occurred.

Hackers used an admin password

The attack seems to have begun in autumn last year as Deloitte was migrating its email to cloud-based Office 365 at its Hermitage office in Nashville. Hackers allegedly got into the system using an admin account that could, in theory, have given them access to the company’s entire database of emails.

One source said: “The hackers had free rein in the network for a long time and nobody knows the amount of the data taken.” Apparently, Deloitte did not have multifactor authentication at the time of the breach.

Risk awareness is key

Oz Alashe, CEO of cybersecurity awareness platform CybSafe, told “The loss of email address information from the Deloitte data breach could make it easier for fraudsters to commit ‘spear phishing’ attacks. Spear phishing emails are highly personalised versions of the more common phishing scam. Rather than regular phishing emails – generic emails which are usually sent to masses of people at the same time – spear phishing emails appear much more credible to the intended target.

“Deloitte must advise affected clients that spear phishing emails can be exceptionally convincing and even the most tech-savvy need to be cautious. 350 clients have supposedly been affected by the data breach, and each and every one of these organisations needs to be on guard for any suspicious emails and links that are sent to their compromised addresses.”

Alashe added that companies need to be more aware of the risks associated with elevated account privileges, and ensure that only those who need said privileges have them. 

Deloitte’s cyberattack strategy

In a statement, Deloitte said: “We looked at all of the targeted email messages in a manual document-by-document review process, with careful assessment of the nature of the information contained in each email. By conducting this eyes-on review, we were able to determine the very few instances where there may have been active credentials, personal information or other sensitive information that had an impact on clients.”

The company also stated that it has taken steps to further enhance its overall security architecture by expanding its centrally controlled, privileged access management system, and completed its roll-out of multifactor authentication, which was underway at the time of the attack.

Deloitte has seen no signs of any subsequent activities from the attackers, and said no disruption to client businesses occurred.

Updated, 10.24am and 12.46pm, 11 October 2017: This article was updated to include a statement from Deloitte and also to amend an incorrect figure in relation to the number of clients affected by the attack.

Deloitte. Image: 360b/Shutterstock 

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects