Story image

Hackers steal data through ‘easy back door’ in massive Deloitte breach

27 Sep 2017

In just the last few weeks we’ve had three major breaches go public. Equifax. Securities and Exchange Commission (SEC). And now, Deloitte.

One of the largest private firms in the US, the sophisticated hack compromised the confidential emails and plans of some of Deloitte’s blue-chip clients. Perhaps worst of all, the cybersecurity attack has gone unnoticed for months with the hackers inhabiting the network and stealing data as it comes.

The hacker gained access to Deloitte’s underbelly via an administrator account, which theoretically would have provided them complete and unrestricted access to all of the data.

According to sources, the account was absent of two step verification and only required a single password to give the hackers access to emails, usernames, passwords, IP addresses, architectural diagrams for businesses and health information.

Last year the company reported a record US$37 billion of revenue, providing auditing, tax consultancy and ironically, high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

This torrent of recent data breaches makes clear the challenges of commercial and government cybersecurity are continuing to converge.

However, a number of cybersecurity experts affirm all of these incidents were preventable had the affected organisations applied the proper practices and monitored typical behaviour and data access.

“Three major breaches. Three unique challenges. One important lesson learned. The industry must quickly focus on the crossroads between people, process and technology to adequately address these unyielding security threats,” says CTO of Data Protection and Insider Threat Security at Forcepoint, Brandon Swafford.

“The news of Deloitte's breach, reportedly resulting from a lack of multi-factor authentication that led to access of sensitive data in the cloud, highlights that a focus on any one security risk point is not adequate.”

Chris Ross, SVP International at Barracuda says this is another case of the very basic security practices not being followed.

“If the attacker in the Deloitte case got into their global email server through an administrator’s account, then this is a classic case of account compromise,” says Ross.

“Judging by the lack of multi factor authentication, it’s very likely that the brute force attack took place via web access to the email server - potentially by successfully guessing the password.”

Ross says that aside from a very strong password, two factor authentication has become an industry standard, particularly when it comes to admin accounts that have even more access to sensitive data.

“This attack also highlights the need for measures such as email encryption when exchanging confidential data,” says Ross.

“Cyber attackers may be developing ever more sophisticated and well-researched tactics, but not following basic security advice like this is in effect giving criminals a very successful and easy ‘back door’ into your organisation.”

Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.