Deloitte Hit By Cyberattack That Compromised Client Information & Decided To Basically Tell Nobody At All

from the ostrich-style dept

Wed, Sep 27th 2017 6:22am — Timothy Geigner

In the wake of the Equifax breach, there has been some discussion about just how quickly companies should publicly disclose when they have been victims of security breaches that reveal client information. In the case of Equifax, the company had essentially been sitting on the knowledge that it was attacked since July before going public in early September. Something like two months, in other words. While most people agree that victim companies should have some time to get their houses in order before opening the window shades, two months seemed like a lot, given the severity of the attack and the number of potential victims among Equifax's clients.

But two months is nearly lightning quick compared with Deloitte, the enormous accounting firm that discovered it was the victim of an attack in March and only bothered to tell the public, along with most of its clients, this week.

One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

Now, Deloitte may have discovered the breach in March, but there have been whispers that the attackers may actually have pulled all this off in October of last year. The attack was pulled off by accessing an administrator account that lacked anything resembling two-factor authentication, all hosted on Microsoft's Azure cloud service, and potentially exposing every sort of client data ranging from passwords and IP addresses to health information. The decision was made within Deloitte to only inform a few partners and legal staff within the company and a total of six Deloitte clients that the breach had even occurred. Most Deloitte staff and customers had no idea until these past few days.

And that decision could amount to a very real problem for the company, given that most US states and territories have security breach notification laws mandating when companies must tell clients when these sorts of attacks occur. If Deloitte has customers outside of the six it has informed in any of those states or territories, which is a virtual certainty, and those clients' information was exposed by this attack, Deloitte could be in violation of all kinds of state laws for failing to inform those customers what had happened. Most of these laws frustratingly rely on ambiguous language as to how quickly clients or residents of the state should be informed of the breach -- there is all kinds of "in the most expedient time possible" and "without unreasonable delay" language in these laws --, but it would be patently absurd for Deloitte to suggest that 6 months time meets any of those requirements.

In fact, Deloitte won't even acknowledge if it has ever contacted law enforcement about the breach.

Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.

Now, for its part, Deloitte is making much of its ability to perform an internal review of the breach and the contracted security firms its engaged, all while stating that it has allowed them to pinpoint exactly what data was accessed and what wasn't, and that the amount actually accessed is very small. Except it's hard to take on faith the cyber-sleuthing capabilities when the firm has been so opaque about the breach thus far, and at least some of the notification laws require notification upon breach, not upon actual data acquisition.

If nothing else, it should be clear that covering this stuff up and trying to pretend it never happened is no way to do security.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cyberattack, data leak, disclosure, hack, leak
Companies: deloitte, equifax

16 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 27 Sep 2017 @ 6:30am

Deloitte is lying
This is far worse than they're admitting.
[ link to this | view in chronology ]
- XcOM987 (profile), 27 Sep 2017 @ 6:45am
  
  Re: Deloitte is lying
  As is par for the course really, Mike mentioned it in the Equifax that these are always worse than first reported, I forsee this being fairly bad, I wouldn't be surprised if this is someone acting out a real life version of "Mr Robot", first Equifax, now Deloitte, I wouldn't be surprised if this has massive implicatons on the economy and/or the populous.
  [ link to this | view in chronology ]
  - Lord Lidl of Cheem (profile), 27 Sep 2017 @ 8:06am
    
    Re: Re: Deloitte is lying
    A conspiracy bigger than all of us. There's a powerful group of people out there that are secretly running the world. I'm talking about the guys no one knows about, the ones that are invisible. The top 1% of the top 1%, the guys that play God without permission.
    [ link to this | view in chronology ]
    - Anonymous Coward, 27 Sep 2017 @ 8:24am
      
      Re: Re: Re: Deloitte is lying
      Same as it ever was
      [ link to this | view in chronology ]
  - Anonymous Coward, 27 Sep 2017 @ 10:42am
    
    noah fence
    but it's populace.
    [ link to this | view in chronology ]
  - XcOM987 (profile), 28 Sep 2017 @ 4:48am
    
    Re: Re: Deloitte is lying
    and as if by magic!
    [ link to this | view in chronology ]
That Anonymous Coward (profile), 27 Sep 2017 @ 6:33am

But we have laws saying we can put an ice cream cone in a pocket, or we can't offend elected officials...

You'd think companies responsible for billions of dollars or critical information that's gonna cause untold losses would have a law requiring them to report these things.

But then corporations are special & need to be treated with kid gloves. Goldman Sachs - we have emails showing they knew the shit was toxic, but we declined to prosecute because it would be hard. Abacus - hardly anything wrong but the only bank we took on for sub-prime mortgage wrong doing.
[ link to this | view in chronology ]
- XcOM987 (profile), 27 Sep 2017 @ 6:57am
  
  Re:
  From what I read, they were the only ones to do anything right, they fired the employee that was breaking the rules and reported it to the officals straight away, that really is a case of small enough to prosecute, it does send a signal that if your big enough you pretty much can do what you want, Like the banks giving the CEO's and whatnot big bonus' after being bailed out.
  [ link to this | view in chronology ]
Anonymous Coward, 27 Sep 2017 @ 6:41am

>And that decision could amount to a very real problem for the company, given that [laws]

LOL! Laws. Affecting large corporations! Hohoho, you little scamps with your humour.
[ link to this | view in chronology ]
- Anonymous Coward, 27 Sep 2017 @ 7:02am
  
  Re:
  Laws are for little people
  [ link to this | view in chronology ]
- JoeCool (profile), 27 Sep 2017 @ 7:22am
  
  Re:
  There's always a way around the law - if you have money, of course. For example, those reports states require when a breach occurs? Do they say exactly HOW the report should be? Maybe it's enough to mail a post card with "U be hakked, Dudez!!" on it, which then gets tossed in the trash at the destination.
  :)
  [ link to this | view in chronology ]
Mason Wheeler (profile), 27 Sep 2017 @ 8:10am

Deloitte? Isn't that one of those things that time travels at 88 MPH?
[ link to this | view in chronology ]
Anonymouse Coward, 27 Sep 2017 @ 8:36am

Am I just dreaming?
Deloitte has some pretty powerful & wealthy clients. Will those clients make those creatures in Washington DC squirm. Or am I just dreaming.

Of course, any hypothetical squirming won't help us nobodies. I'm not dreaming that much!
[ link to this | view in chronology ]
- JoeCool (profile), 27 Sep 2017 @ 10:22am
  
  Re: Am I just dreaming?
  Nah, they'll just make the gov bail them out... again, then give themselves big bonuses for a job well-done.
  
  /wish I were being sarcastic, but I'm not
  [ link to this | view in chronology ]
Anonymous Coward, 27 Sep 2017 @ 10:44am

They provide cybersecurity? I guess that doesn't mean what they (or their clients) think it means...
[ link to this | view in chronology ]
Anonymous Coward, 27 Sep 2017 @ 10:45am

absurd for Deloitte to suggest that 6 months time meets any of those requirements.
It all depends on who you are. For little people, it would probably be like 6 minutes. For big shots, 6 months will probably be considered "fast".
[ link to this | view in chronology ]