Deloitte Touche Tohmatsu Limited, a UK-incorporated multinational professional services firm, was hit by data breach on Monday.
A Deloitte global mail was reportedly hacked, which gave hackers access to emails involving information about the company’s staff, as well as customer information on some of the company’s private and federal sector clients. The hackers might have also gained access to other information such as usernames and passwords.
The consulting giant confirmed the hack in an interview, saying that it has engaged in a “comprehensive security protocol,” investigation, and notified clients at risk. Deloitte had stated that only a few clients were impacted by the attacked and seems to cooperate with an outside legal firm.
Hackers had been reported to be lurking in the company’s system since October or November 2016, as the attacked was first discovered in March. Deloitte apparently was not using a two-factor authentication on the email server, which was hosted on the Azure cloud service.
Companies like Deloitte are usually target of data breach, and this specific kind of data breach are particularly alarming for managed security services providers as stated by Alton Kizziah, vice president of global managed services at Kudeleski Security.
“We do a lot of things to specifically prevent this type of attack. … It is very stressful and very worrying when you see these things to think we could be a conduit for an attack on one of our clients.” said Kizziah.
Deloitte has not yet released a statement regarding the extent of the impact in the company’s consulting and services customers.
The Trend of Data Breaching
The third-party ecosystem had been the target of the growing trend of data breaches. The hackers attack a company in order to hack a company they do business with or are involved with.
Core companies in that environment is what the solution provider channel is made of and institutions like Deloitte which offers multiple financial consultancy, audit, and cyber security services are tempting subjects for hackers seeking client information.
According to a report by the National Cyber Security Centre, BAE Systems and PricewaterhouseCoopers UK, discovered that a China-based hacking group has been targeting companies in the similar industry as Deloitte and others with “common as well as custom malware”
In response the cyber incident, Deloitte mobilized a team of cyber security and confidentiality experts both internally and externally. It alerts government authorities instantly after it becomes aware of the attack and contacts all of the clients affected.