SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Hackers steal data through ‘easy back door’ in massive Deloitte breach
Wed, 27th Sep 2017
FYI, this story is more than a year old

In just the last few weeks we've had three major breaches go public. Equifax. Securities and Exchange Commission (SEC). And now, Deloitte.

One of the largest private firms in the US, the sophisticated hack compromised the confidential emails and plans of some of Deloitte's blue-chip clients. Perhaps worst of all, the cybersecurity attack has gone unnoticed for months with the hackers inhabiting the network and stealing data as it comes.

The hacker gained access to Deloitte's underbelly via an administrator account, which theoretically would have provided them complete and unrestricted access to all of the data.

According to sources, the account was absent of two step verification and only required a single password to give the hackers access to emails, usernames, passwords, IP addresses, architectural diagrams for businesses and health information.

Last year the company reported a record US$37 billion of revenue, providing auditing, tax consultancy and ironically, high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

This torrent of recent data breaches makes clear the challenges of commercial and government cybersecurity are continuing to converge.

However, a number of cybersecurity experts affirm all of these incidents were preventable had the affected organisations applied the proper practices and monitored typical behaviour and data access.

“Three major breaches. Three unique challenges. One important lesson learned. The industry must quickly focus on the crossroads between people, process and technology to adequately address these unyielding security threats,” says CTO of Data Protection and Insider Threat Security at Forcepoint, Brandon Swafford.

“The news of Deloitte's breach, reportedly resulting from a lack of multi-factor authentication that led to access of sensitive data in the cloud, highlights that a focus on any one security risk point is not adequate.

Chris Ross, SVP International at Barracuda says this is another case of the very basic security practices not being followed.

“If the attacker in the Deloitte case got into their global email server through an administrator's account, then this is a classic case of account compromise,” says Ross.

“Judging by the lack of multi factor authentication, it's very likely that the brute force attack took place via web access to the email server - potentially by successfully guessing the password.

Ross says that aside from a very strong password, two factor authentication has become an industry standard, particularly when it comes to admin accounts that have even more access to sensitive data.

“This attack also highlights the need for measures such as email encryption when exchanging confidential data,” says Ross.

“Cyber attackers may be developing ever more sophisticated and well-researched tactics, but not following basic security advice like this is in effect giving criminals a very successful and easy ‘back door' into your organisation.