Major global accountancy and consultancy firm Deloitte has become the latest victim of a cyberattack, resulting in the leak of personal emails and details of some of its clients.
A Guardian investigation found that the New York-based firm became aware of the hack in March, but it is understood that officials within the company believe the attack may have been ongoing since late 2016.
Deloitte is one of the best-known names for business consultancy worldwide and reported revenue of $37 billion (approx. £27.4 billion) last year. It advises on auditing, tax and cybersecurity for many of the world’s largest organisations, including banks and governments.
Deloitte insists that only a very small proportion of its client base has been impacted, and the Guardian reports that only six of its clients have been informed that their information was affected.
It is believed that the breach was achieved through an administrator email account that had high privilege levels and access to all areas. It is also noted that this email account was not using two-factor authentication.
Richard Stiennon, chief strategy officer at security firm Blancco Technology Group, commented on the importance of protecting emails: ‘Deloitte’s experience with a simplistic breach of their Microsoft 365 infrastructure through an easy to access administrator account highlights how easy it is to overlook critical information stores.
‘A complete data governance regime should put email at the top of concerns. The industry will have an excellent chance to learn from Deloitte’s breach of its email servers.’
An internal investigation into the incident is ongoing. Deloitte hired major U.S. law firm Hogan Lovells in late April to help investigate the breach. Deloitte and its lawyers are working to establish the source of the hack, by tracing the steps of the attackers.
U.S. credit agency Equifax was recently the victim of one of the largest data breaches in history, with the leak of 143 million social security numbers and other personal details.