Although it’s embarrassing, it’s also survivable (Verizon Enterprise Services, publisher of the famed DBIR, have also lived through an embarrassing security breach). What’s not survivable, however, is lying – which Deloitte appears to have done.
The initial Deloitte security breach notification was extremely conservative. It identified only a few key accounts as having been breached, and stated that the six affected clients had experienced no serious disruption in their business. As it turns out, however, this statement could not be further from the truth. An initial statement leaked to Brian Krebs, of the site Krebs on Security, reveals the following information:
- Attackers had free reign of the entire email database, including administrator accounts.
- Several gigabytes of data were exfiltrated, but that may not encompass the entirety of the theft.
- As of late September 2017, investigators are still not certain that the attackers are gone.
- Leaders at Deloitte may have had knowledge of the breach since at least October 2016.
The Deloitte Breach, in other words, affected all its clients, which include multiple departments of the US government, for between six months to a year. During that time, the attackers may have been able to read every email sent between Deloitte and its clients. Lastly, administrators may have had full knowledge of this. There’s a lot to unpack here.
How Does a Security Breach Like This Even Happen?
Even without knowing how exactly the attackers were able to breach Deloitte, their response to the incident has been nothing short of cringeworthy. Once you find out how the breach was accomplished, the response looks laughable. Here’s what happened:
They forgot to implement two-factor authentication.
More specifically, Deloitte hosted its communications in an instance of Microsoft Azure (Microsoft’s answer to AWS). A single administrator account with access to the Azure implementation was guarded only by a username and password, without any two-factor-authentication(2FA). Attackers stole this administrator’s credentials and used them to leverage access to the entire email system.
Security Breaches and Consequences
The repercussions to the cyberattack are going to be extremely negative for Deloitte. As just one example, Deloitte almost certainly committed a compliance violation by leaving its email system unguarded. Since Deloitte has a healthcare vertical, the contents of its email database may have contained personal health information (PHI). Although HIPAA does not specifically mandate 2FA, it requires companies to implement strong controls regarding information management and access.
Similarly, Deloitte would have violated PCI DSS if any payment information from its customers passed through their email system. PCI DSS specifically mandates multifactor authentication in Requirement 8.3. Although PCI DSS violations are less widely reported than HIPAA breaches, the associated fines are much more severe, often running into the tens of millions of dollars.
Thirdly, there’s the GDPR to consider. Deloitte has clients in the EU, and it looks like they knew about their breach in October – but didn’t notify their clients until March. Under the GDPR, which goes into effect next year, companies will have only 72 hours to conduct breach notifications. Deloitte badly needs to update its incident response timelines if it expects to retain its EU customers.
Lastly, there’s the reputational damage to consider. Deloitte is the largest security consultant on the planet, and touts its security expertise to governments worldwide. What do you think will happen to their clients when they find out the company was tripped up by such a simple error – and then responded so poorly?
How to Avoid Embarrassing Security Breaches
The Deloitte breach response was bad, but it didn’t have to be. If they were using Safe-T, they’d have had access to an automated policy enforcement engine that would apply 2FA to all administrator email accounts. There would have been no way for even one account to have been unprotected, thus mitigating the attacker's’ ability to infiltrate the Deloitte email servers.
Second of all, Safe-T’s Software Defined Access masks your attack surfaces from the web. This means that even if an attacker had stolen legitimate credentials, and if that email account were still unprotected by 2FA, the attacker still wouldn’t have been able to log in. That’s because their ability to recon a corporate network and find its connected domains would have been completely stymied.
In the world of information security, simple mistakes can lead to a world of hurt. Safe-T automates and reinforces your defenses so that simple mistakes simply can’t happen. For more information on how to protect your critical data with Safe-T, ask for a free trial today!