Deloitte, itself a provider of cybersecurity services, has confirmed a hack breached its email system, possibly exposing confidential client information.
According to The Guardian, the “big four” accounting firm discovered the hack in March, but it is believed the attackers may have had access to its systems since October or November 2016.
The hack compromised Deloitte’s global email server through an “administrator’s account” that, The Guardian’s sources said, required only a single password and did not have “two-step“ verification. an An estimated 5 million emails were stored in Microsoft’s Azure cloud service and could have been been accessed by the hacker.
A Deloitte spokesman said the company had notified each of the “very few” clients impacted by the hack and its own internal review of the breach had “demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.”
But The Guardian said the breach was “a deep embarrassment for Deloitte, which offers potential clients advice on how to manage the risks posed by sophisticated cybersecurity attacks.”
In 2012, Deloitte was ranked the best cybersecurity consultant in the world. “Cyber risk is more than a technology or security issue, it is a business risk,” it tells potential customers on its website.
Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. Corporate clients include Morgan Stanley, Berkshire Hathaway, Starbuck’s, Boeing, and Microsoft.
“We remain deeply committed to ensuring that our cybersecurity defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity,” the company spokesman said. “We will continue to evaluate this matter and take additional steps as required.”
Cybersecurity expert Richard Stiennon, chief strategy officer of Blancco Technology Group, said the breach highlights the need to prioritize protections for email.
He recommended that email should be protected against unauthorized access and the content of emails should be encrypted so email exchanges cannot be read without the participants’ keys.