According to The Guardian, accountancy firm Deloitte has been targeted by a sophisticated hack, leaking confidential emails and plans of its blue-chip clients’.
Deloitte provides auditing, tax consultancy and high-end cyber security advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.
Deloitte clients across all of these sectors had material in the company email system that was breached, including household names and US government departments.
The Guardian found the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information.
Alashe, CEO of CybSafe, said: “To access most servers or networks you need credentials – most commonly a username and password. With two or multi factor authentication, you need the username, password, and another form of authentication, be that biometric – such as fingerprints or an iris scan – or a code emailed or texted to your phone or another code-generating device.
“Two factor authentication is the absolute minimum standard that organisations should be taking to protect data of this importance. On their website, Deloitte suggests that businesses make use of multi-factor authentication, and it seems that in this instance, they didn’t take their own advice.”
Deloitte’s 244,000 staff stored their emails in Azure cloud service, which was provided by Microsoft – Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.
“As Deloitte’s example has shown, companies need to make sure that people only have access to the things that they need access to, so nobody has elevated privileges who doesn’t need them, and those who do have elevated privileges realise that there are special, high-risks associated,” added Alashe.
“Of course, hackers are going target those who have increased access to systems and data, and so users with these heightened access privileges need to be aware of the risks associated with their position, and they need to be trained appropriately to protect this data.”
The breach is believed to have been US-focused and was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.
Written from press release by Leah Alger