Deloitte confirms cyber hack exposed client information

Ranked as one of the largest providers of cyber-security services, Deloitte has conceded it fell victim to a cyber attack.

Deloitte says only “very few clients” were affected when a cyber hacker accessed data from an email platform. The hack did not disrupt business, the firm said.

A press report out of Europe says six Deloitte clients were informed that their information was affected by the hack. Relying on unnamed sources, the report says the firm discovered the intrusion in March and that hackers may have had access to the system since October or November of 2016.

The report also indicates Deloitte’s email among some 244,000 staff members is stored in a cloud system provided by Microsoft. It says the hacker gained access through an administrator account that was protected by only a single password.

In response to the discovery of the intrusion, Deloitte says it implemented its security protocol and performed an “intensive and thorough” review of its systems, using both internal and external experts. The firm says it contacted government authorities and each of the clients affected by the breach.

“Deloitte remains deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information, and to continually reviewing and enhancing cyber security,” the firm said in a statement.

News of the breach at Deloitte comes only days after the Securities and Exchange Commission acknowledged it also discovered an intrusion of its EDGAR database containing public filings. And that followed an epic breach at consumer credit rating agency Equifax, exposing the personal financial data of approximately 143 million U.S. consumers.

Richard Stiennon, director of the International Data Sanitization Consortium, says the Deloitte intrusion represents a “simplistic breach” through a point of entry that’s easy for a hacker to access. Given how much information flows through email, that makes it a logical target for hackers and a lesson for companies about the importance of better protection for email systems.

“A complete data governance regime should put email at the top of concerns,” says Stiennon. “Email should be first protected against unauthorized access.” Equally important, he says, is managing email content using encryption or regular scrubs.