Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deloitte Hit By Cyber-attack Revealing Clients' Secret Emails (theguardian.com)

Posted by msmash on from the security-woes dept.

Accounting firm Deloitte confirmed on Monday it had suffered a cyberattack. From a report: One of the world's "big four" accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal (the company has since confirmed the breach). Deloitte, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. One of the largest private firms in the US, which reported a record $37bn revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments

49 comments

  1. So, does this mean they will release... by Anonymous Coward · · Score: 1

    Financial data, of course, is what we think of as some of the most private of data.

    And it's also some of the data that we would most benefit from knowing.

  2. Cybersecurity advice? by Anonymous Coward · · Score: 3, Funny

    Deloitte provides auditing, tax consultancy and high-end cybersecurity advice

    Not anymore, I imagine.

    1. Re:Cybersecurity advice? by olsmeister · · Score: 4, Funny

      They can tell you exactly what not to do.

    2. Re:Cybersecurity advice? by HornWumpus · · Score: 1

      They will still gladly tell you that whatever you are doing is good. For $400/hour.

      That's basically their (big accounting consultancies) role, provide cover, tell you what you want to hear.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    3. Re:Cybersecurity advice? by OneHundredAndTen · · Score: 1

      Like Arthur Andersen before them, Deloitte, Price Waterhouse, etc. sell a lot of hot air at very high prices. But, their people dress impeccably.

    4. Re:Cybersecurity advice? by Anonymous Coward · · Score: 1

      They can tell you exactly what not to do.

      Our current Best Practices include:

      (1) Do not have been our client since at least the fall of 2016.

    5. Re:Cybersecurity advice? by 0100010001010011 · · Score: 1

      Consulting: If you're not a part of the solution, there's good money to be made in prolonging the problem.

    6. Re:Cybersecurity advice? by bleh-of-the-huns · · Score: 2

      Thats not completely true. I most definitely am not full of hot air.. then again they never would have hired me.. I came over with a buyout by Deloitte of my company. There are a ton of very technical very competent people in their respective fields. Sadly, there are not enough of us.

      --
      I came, I conquered, I coredumped
    7. Re:Cybersecurity advice? by bravecanadian · · Score: 1

      They will still gladly tell you that whatever you are doing is good. For $400/hour.

      That's basically their (big accounting consultancies) role, provide cover, tell you what you want to hear.

      Yup. auditors are a textbook case of a conflict of interest.

    8. Re:Cybersecurity advice? by Wootery · · Score: 1

      I was going to call you on your grammar, but I think it's technically correct.

    9. Re:Cybersecurity advice? by Anonymous Coward · · Score: 0

      Join the club. Deloitte bought my company as well. Doubt I would be with them except for that. Fantastic place to work at.

  3. "high-end cybersecurity advice" by Anonymous Coward · · Score: 0

    I guess they won't be offering that service any longer.

  4. All Internal Email. All Admin Accounts by Anonymous Coward · · Score: 1

    https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/

    Source: Deloitte Breach Affected All Company Email, Admin Accounts

    Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems, British news outlet The Guardian revealed today. Deloitte has sought to downplay the incident, saying it impacted “very few” clients. But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.

  5. Cyberpocalypse? by mschwanke97402 · · Score: 4, Insightful

    I think we are rapidly approaching the day when the fun and games of the free, open Internet, with every last gadget, device, appliance, phone, tablet, laptop, pc and server all being on that very same Internet.

    Why there would need to be direct access from the public Internet to some of the data we've seen compromised recently is beyond me. Cheap bastards in the C-Suites? I get that if I want to see my account in an online banking web site that the web server I access is going to be connected to the public Internet but why wouldn't the back-end, such as the customer database be on a separate network with tightly controlled access from the public facing web servers to the back-end databases. It shouldn't be possible to connect from the public Internet via some exploit in the public-facing web server and then just dump the contents of all the back-end database servers.

    Am I just being naive here? Are going to end up requiring all connected devices have licenses/permits?

    1. Re:Cyberpocalypse? by PolygamousRanchKid+ · · Score: 5, Informative

      USA, around 1984: Where's the beef . . . ?"

      Today: Where's the hack . . . ?"

      TFA seems to imply that someone misused an email administrator id and password. Not really a "hack", in any sense of the word.

      Whenever you have any information stored anywhere . . . the loosest link in the security chain will be human. Read up about Markus Wolf, the former East German Secret Police spy chief, also known as, "the man without a face."

      Wolf managed to use "Romeos" to enchant bored secretaries of top West German politicians. This disclosure by Deloitte is nothing more than an admission of "pillow talk" . . . someone entrusted with an account and password misused it or passed it on to someone not authorized.

      There's nothing really "tech" about this story . . . just plain simple industrial espionage, as usual.

      Just bribe the sysadmins . . . it's a lot easier than trying to do any hacking.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    2. Re:Cyberpocalypse? by ceoyoyo · · Score: 1

      Yes. The bank's server has to be connected to their webpage in order for you to manipulate your account. Hopefully the security on that connection is pretty good, but it can't be perfect.

      Deloitte e-mails, same thing. E-mail isn't much use if it's not connected to the Internet.

    3. Re:Cyberpocalypse? by HornWumpus · · Score: 1

      It is possible to restrict admin logins to local network. Which only means they have to own a workstation first. No magic bullets.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    4. Re:Cyberpocalypse? by Anonymous Coward · · Score: 0

      Um no... Not pillow talk:

      https://autodiscover.deloitte.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover.deloitte.com%2fecp

      On work computer, so no points for me... Just wanted to point out that this negligence, not even social engineering.

    5. Re:Cyberpocalypse? by dissy · · Score: 1

      It shouldn't be possible to connect from the public Internet via some exploit in the public-facing web server and then just dump the contents of all the back-end database servers.
      Am I just being naive here?

      Well that web server has to get the data its showing you from the back-end server, which means an exploited web server running a rouge process can get that same data.

      One may argue that us people don't need quite that much data to be on the web site to view in the first place, but I'm assuming at least someone argued that they do want to, and the companies thus did so.

      What you are referring to is "security in layers"
      Web server makes API requests to another server, that makes API requests to another server or database. The communications are completely restricted to nothing but that API, and the APIs are restricted to only be able to get at certain things.

      But sadly that requires actually making those layers, and ideally each layer managed by a separate person or team, meaning hiring enough people to fill all those separate spots.
      It also requires a management team that doesn't act like security in layers is "restricting them" or "an assault on their authority" and simply threatens everyone to allow everything so he or she won't be potentially inconvenienced in any way or perceive that someone is telling him no as an affront to his or her "I am a god!" mentality.

      It can be done right if someone at the top demands it is done right and tells everyone below to fuck off and deal with it or they''re fired, including all lines of management.
      It's just rare to find such companies structured that way with enough people that care about it to actually do the work needed.

    6. Re:Cyberpocalypse? by ceoyoyo · · Score: 1

      Sure, you can make things harder, as I said. But if you can manipulate your account over the Internet, I can. If you're clever you can set it up so I can't drain everyone's account using one login from the Internet, without compromising an internal machine first. I suspect most banks are set up this way, since there haven't been any cases of mass account emptyings.

      In this case it sounds like an e-mail admin's password was compromised and email stolen. E-mail servers don't work so well when they're not connected to the Internet. But if you're sending secret stuff unencrypted in e-mail you're an idiot anyway.

    7. Re:Cyberpocalypse? by bleh-of-the-huns · · Score: 1

      When your company is as large and widespread as many of the consulting companies, many who encourage work from home, it can be difficult to enforce restricting logins to a specific network. This is why 2FA is important.

      --
      I came, I conquered, I coredumped
    8. Re:Cyberpocalypse? by mschwanke97402 · · Score: 1

      Yes. The bank's server has to be connected to their webpage in order for you to manipulate your account. Hopefully the security on that connection is pretty good, but it can't be perfect.

      Deloitte e-mails, same thing. E-mail isn't much use if it's not connected to the Internet.

      My question was if the bank's bank-end data servers could be on an internal only LAN with a very restrictive connection allowed from the public web servers, something that could only get a single record at a time and only with customer credentials then.

    9. Re:Cyberpocalypse? by mschwanke97402 · · Score: 1

      Well that web server has to get the data its showing you from the back-end server, which means an exploited web server running a rouge process can get that same data.

      One may argue that us people don't need quite that much data to be on the web site to view in the first place, but I'm assuming at least someone argued that they do want to, and the companies thus did so.

      What you are referring to is "security in layers" Web server makes API requests to another server, that makes API requests to another server or database. The communications are completely restricted to nothing but that API, and the APIs are restricted to only be able to get at certain things.

      But sadly that requires actually making those layers, and ideally each layer managed by a separate person or team, meaning hiring enough people to fill all those separate spots. It also requires a management team that doesn't act like security in layers is "restricting them" or "an assault on their authority" and simply threatens everyone to allow everything so he or she won't be potentially inconvenienced in any way or perceive that someone is telling him no as an affront to his or her "I am a god!" mentality.

      It can be done right if someone at the top demands it is done right and tells everyone below to fuck off and deal with it or they''re fired, including all lines of management. It's just rare to find such companies structured that way with enough people that care about it to actually do the work needed.

      Thanks for the informative post. I honestly believe there are a ton of corporate data servers with direct to the Internet connections, well, a firewall maybe, but then probably a Cisco, so...

    10. Re:Cyberpocalypse? by jezwel · · Score: 1

      My question was if the bank's bank-end data servers could be on an internal only LAN with a very restrictive connection allowed from the public web servers, something that could only get a single record at a time and only with customer credentials then.

      They're not hacking the banks multi-layered firewalls then searching around the LAN looking for the customer databases and hacking those systems, they target the systems that are known to be connected to the data that is desired, ie, those public facing web servers. Compromise those and use the credentials that the web-server uses to get access to the database.

  6. So, there WILL be an accounting? by Anonymous Coward · · Score: 0

    Or just another day at the office, with russians in the woodwork?

  7. Virtual Machines by ironicsky · · Score: 1

    With all these types of attacks surfacing, I question why we let production machines access the internet at all. I'm talking no email client, no browsers, no FTP or SSH, nothing. All ports to the internet are closed for business.

    Instead, all users would have a Citrix or RDP app installed which provides the same apps, Outlook, Chrome, and other internet utilities. The virtual machine those apps are running on a different VLAN (or a physically separated connection), which only has access to the corporate network through ports that support the remote VM session, as well as a single DMZ'd file server.

    Any file downloaded through the remote session would be saved to the DMZ, which is processing all files automatically, scanning for malware, objectional content, executable code, steganographically hidden content, etc. Once the file is marked as safe a process running on the corporate network grabs the files and moves them into the corporate network for access.

    Likewise, a user who needs to send a file out would save the file to a "pick up" location on their corporate network, and the process would work in reverse. It would be scanned for objectional content, then pushed to the DMZ file pick-up location that the user could then send out by email or other processes.

    1. Re: Virtual Machines by Anonymous Coward · · Score: 1

      Wow! You've basically reinvented paper letters, envelopes, and the postal system. That's great and all, except your approach somehow manages to be slower and costlier.

    2. Re:Virtual Machines by Anonymous Coward · · Score: 0

      It's not that simple. It will be inconvenient for one thing. Then there are cases where primary machines NEED Internet. Oh, I have to fill out a request and wait two months for IT to get everything set up? Yeah... right... People will then start running EVERYTHING in the VM which means you're no better than you were. Sure, you can lock the VM's up so people can't do anything. Good luck watching your business crawl to a halt.

    3. Re:Virtual Machines by swb · · Score: 1

      The real apocalypse is when all of this becomes a practical necessity and we lose about 75% of the productivity gains from computer automation.

      I guess the new jobs will be in the form of a new steno pool. Millennials can re-enter the data on spreadsheets and documents in a clean-room environment. People will still "exchange" documents, they just won't realize they're being transcribed in between.

    4. Re:Virtual Machines by CaptainDork · · Score: 1

      I've implemented your suggestions for remote access and the crack in that wall is the part about, "access."

      Another crack is the "remote," part.

      Those two factors sorta describe what's called a, "hack."

      --
      It little behooves the best of us to comment on the rest of us.
    5. Re:Virtual Machines by Anonymous Coward · · Score: 0

      There are several products that do this and I can think of at least five separate ways to circumvent your awesome "new" idea.

      Nice try though.

    6. Re:Virtual Machines by Anonymous Coward · · Score: 0

      You know, you make some good points sometimes, and I want to mod you up...and then I remember that you quote yourself in your .sig (and have been for years), and I just can't bring myself to do it.

  8. Wrong headline by Alain+Williams · · Score: 5, Insightful

    The wording was about ''cyber-attack'' which sets the tone ''Oh, unfortunate Deloitte'' - where as it should have been something like ''Deloitte is the latest incompetent company to spew client information over the Internet''.

    It is about time that these crappy companies were called out for what they are. Oh: put the CEO's head on the block for this: make him pay for what this costs customers out of his own pocket - if it is paid for by Deloitte (or their insurers) then nothing will ever change.

    1. Re:Wrong headline by HornWumpus · · Score: 1

      You can be the real dirt wasn't in 'Toilet and Douches' email system in the first place. Their 'consultants' understand the importance of deniability/non-discoverability and maintain private emails.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re:Wrong headline by stabiesoft · · Score: 2

      They better hope so. If the hackers got the real dirt, I wonder if the hackers could get the IRS bounty for tax fraud?

  9. First, they came for the billionaires... by PopeRatzo · · Score: 3, Insightful

    I'm pretty sure the world would be a better place if the secret emails of Deloitte's "blue chip" clients were made public.

    --
    You are welcome on my lawn.
    1. Re:First, they came for the billionaires... by Anonymous Coward · · Score: 0

      Because the Panama Papers release did wonders for the world?

    2. Re:First, they came for the billionaires... by PopeRatzo · · Score: 1

      Because the Panama Papers [icij.org] release did wonders for the world?

      Yes, the release of the Panama Papers is a step toward a better world.

      --
      You are welcome on my lawn.
  10. Remember Enron... by Anonymous Coward · · Score: 0

    If you think that Arthur Anderson can't happen again, read about it in "The Smartest Guys in the Room: The Amazing Rise and Scandalous Fall of Enron".

    1. Re: Remember Enron... by Anonymous Coward · · Score: 0

      Mod down. Blatant Creimer spam.

    2. Re: Remember Enron... by Anonymous Coward · · Score: 0

      More Creimer affiliate links. Oh goodie.

    3. Re: Remember Enron... by Anonymous Coward · · Score: 0

      Creimer posting affiliate links as an AC again. Mods do the right thing. Thanks.

  11. Sophisticated hack that compromised plans .. by najajomo · · Score: 1

    Sophisticated, you're kidding, they logged in using an administration account that didn't use two-factor authentication.

  12. Security consultant who doesn't use two-factor by Anonymous Coward · · Score: 0

    Deloitte must be a great source of advice on security. "The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”. The account required only a single password and did not have “two-step“ verification, sources said."

  13. Panama Papers pt. 2 by Anonymous Coward · · Score: 0

    I'll bet this will be a treasure trove If the press or general public got a hold of these documents.

  14. Data dumps beget more data dumps by Anonymous Coward · · Score: 0

    Perhaps some of this and the Equifax breach data can help open doors to more unauthorized access, making more data dumps possible... And then on and on and on until it's all out there.

  15. nasilyapilirtarifleri by kol-sepetim · · Score: 0

    Nasl yaplr bilmiyorsanz yemek, tatl, pasta tarifleri için web sitemizi ziyaret edin usta açlar lezzettli tariflerini sizler için kaleme aldnasl yaplr deme nasl www.nasilyapilirtarifleri.com ziyaret edin. "yemek tarifleri"
    "pasta tarifleri"
    "tatli tarifleri"

    --
    http://www.kolsepetim.com/
  16. Sophisticated? Seriously? by Anonymous Coward · · Score: 0

    Everything I've read says they got hacked because some careless admin didn't enable 2-factor authentication and they popped his password. Is this what passes for a sophisticated hack now days?

  17. Deloitte Hacked?? by Clived · · Score: 1

    Oh how have the mighty fallen. Aren't THEY supposed to be guiding their clients regarding preventing such issues ??

    --
    Clive DaSilva Email: clive.dasilva@gmail.com Ubuntu 18.10 Kernel 4.18