On September 25th 2017, Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems. The Guardian said a breach at Deloitte involved usernames, passwords and personal data on the accountancy’s top blue-chip clients. The hackers had access inside the company’s networks for months before the company noticed anything and have compromised all administrator accounts as well as the entire internal email system.
As a global firm with cyber risk consulting as one of its biggest strengths, Deloitte failed to deploy the simplest of cybersecurity techniques. According to The Guardian, Deloitte failed to deploy elementary security measures such as requiring two-factor authentication. The firm also appears to have guarded large pools of data with a single password. In addition to the failure of deploying two-factor authentication, Deloitte’s corporate VPN passwords, usernames, as well as operational details were found on a public GitHub repository. An employee had also uploaded company proxy login credentials to his public Google+ page. This information was on the web for over six months.
Furthermore, Deloitte has many of their internal systems on the public internet with remote access enabled. At this point, they are just inviting hackers to take advantage of them. Everything should have been behind a secure network and a firewall. “Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register
This breach was very embarrassing for Deloitte, which prides itself as one of the top cyber risk consultant firms in the world. They were named by an analyst firm Gartner, to be the world’s best IT security consultant firm for the past five years. In response to the cyber incident, Deloitte has introduced multi-factor authentication and encryption software to try to stop further hacks.
-Tik Ho Chan
Sources:
https://www.theregister.co.uk/2017/09/26/deloitte_leak_github_and_google/
RIT Cyber Security Policy and Law Class Blog 
You must be logged in to post a comment.