Deloitte hack: Lack of two-factor authentication to blame?

One of the world’s big four accountancy firms suffers a security breach that might have been prevented by better authentication. 

On Monday, the world woke up to the news of another massive data breach in a story published by The Guardian. According to the report, consulting and accounting giant, Deloitte has been the victim of a cyber-attack that went unnoticed for months. According to The Guardian, the hacker(s) compromised the global email server of the company by hacking into the administrator account which wasn’t secured with two-factor authentication.

The New York-headquartered company is one of the world’s ‘big four’ accountancy firms which also includes PwC, EY and KPMG. The breach is being touted as an ironical twist as Deloitte runs a Cyber Intelligence Centre and advises some of the world’s biggest banks and multinational clients on mitigating risk and strengthening cyber resilience.

Gizmodo reported that the system reportedly stored emails from 244,000 staff members on Microsoft’s Azure cloud.

American journalist Brian Krebs who covers internet security and cybercrime commented in his blog that Deloitte acknowledged a cyber incident involving unauthorized access to its email platform in a statement sent to KrebsOnSecurity.

Krebs alleges that a source close to the investigation has revealed the breach happened sometime back in October 2016. “It appears that Deloitte has known something was not right for some time. According to this source, the company sent out a ‘mandatory password reset’ email on Oct. 13, 2016 to all Deloitte employees in the United States,” claimed Brian Krebs in the blogpost. The source also alleged that the hackers went unnoticed in the system for a long time.

The breach is said to have compromised data such as usernames, passwords, IP addresses, architectural diagrams for businesses, health information, sensitive security and design details.

In a response to Gizmodo, Deloitte reportedly said that only a small fraction of its clients have been “impacted” by the breach and the company has notified the clients that were affected. 

However, this points to the larger question that why do multinational companies like Deloitte and Equifax play it cool when it comes to reporting cybersecurity breaches? “In general, there may be liabilities associated with such breaches so unless the firm knows about the exact nature of the breach and its impact, it is difficult for them to come out in public and say that we were hit,” said Nirav Maniar, partner - International Business Advisors.

Commenting on the lack of two-factor authentication that might have led to the attack, Maniar said, “Two-factor authentication is still to kick in. Even most of the banks do not use two-factor authentication yet. However, a recent spate of such attacks has been able to grab the attention of a few corporates which is a good start.

“Further, Indian Government has issued guidelines for insurance and finance companies indicating the seriousness of Government think tank. But more education initiatives on part of business chambers and Government is required to build a habit of safety,” he added.

Australian web security expert and creator of the data breach service Have I Been Pwned commented on Twitter, “It’s getting to a point when a major data breach barely even seems newsworthy anymore.”

As cyber-attacks continue to make headlines around the world, the pattern of poor security hygiene begets the question: Are enterprises and users getting desensitized towards cybercrime?

And are enterprises ready to embrace technology such as blockchain and artificial intelligence to fight cybercrime, when old habits are still wreaking havoc?   

Edited By : Vaishnavi J Desai