Research

Deloitte Breach

Written by Reflare Research Team | Sep 29, 2017 5:46:00 PM

The hacking attack on Deloitte is the latest in a disturbing trend of hacking attacks against large organisations whose email services use Microsoft’s Office 365 system.

First Published 29th September 2017

Maybe they could bring in some consultants?

4 min read  |  Reflare Research Team

After the Equifax and SEC breaches of previous weeks, international consulting and auditing firm Deloitte has been the next high-profile target to suffer a large-scale hacking attack. In this briefing, we will take a look at the details of the breach and why even companies in the information security business are not immune to attacks.

What happened?

While little information is available from Deloitte itself, reporting by the Guardian, Forbes, and the Register implies that the email system used by the company was breached through a weak administrator password. Deloitte uses Microsoft’s Office 365 email service which offers two-factor authentication as part of selected price plans. Whether Deloitte chose not to use two-factor authentication, chose a price plan that didn’t support it, merely forgot to set it for the account in question, or if two-factor authentication was somehow circumvented, remains unclear.

With administrative access to the email systems, attackers theoretically had access to a large segment of emails sent and received by Deloitte and its customers. As the firm specifically caters to large enterprises, confidential information contained in such emails is very likely to be easily monetized - either by selling it to competitors or by abusing it for insider trading.

How could this breach happen?

Deloitte itself is a major provider of information security services for large companies and governments and has acquired an excellent reputation in the field. A breach of this scale naturally leads to the question of how an organization with strong security capabilities can nonetheless be vulnerable to attack.

Apart from human error being almost impossible to completely prevent, one factor, in particular, seems to have played a major role in this breach: Fragmentation.

Deloitte employs more than 260,000 people in almost every country across the globe. Organizations of this scale commonly prefer a decentralized management structure to allow subsidiaries to adjust to their region's customs and legal requirements. The drawback of this management structure is that security and compliance can vary greatly between locations. Reports indicate that while two-factor authentication was strictly enforced across many of Deloitte’s European and Asian locations, enforcement in Northern America was more relaxed. Ultimately this appears to be what led to the breach.

At the same time, as the number of employees grows, the number of individuals putting the company at risk through accident, malice, negligence or ignorance grows as well. Since the breach, researchers have found many systems or credentials belonging to Deloitte accessible over the public internet. While such misbehaviour can not be fully prevented, combating it aggressively is an essential element of any organization’s security strategy.

How could this breach have been prevented?

As we have pointed out in previous briefings, no system is absolutely secure and no recommendation can guarantee that no further breaches will take place. However, we do recommend that organizations with a global decentralized management structure enforce at least a minimal information security policy globally. Such a policy should include the use of two-factor authentication for critical systems.

To combat employee misbehaviour, a combination of strict policy enforcement, auditing and education is the best tool currently available.