● The firm discovered the Deloitte email access incident in March.
● The hacked email included usernames, passwords and personal data of its top clients.
Deloitte, one of the largest private tax and auditing firm in the US, was targeted with an email data breach that resulted in the theft of confidential information, including private emails and documents of its clients.
The compromised emails included usernames, passwords and personal data of its top clients. In addition to hacking Deloitte email, the hackers had gained access to architectural diagrams for businesses and health information and IP addresses.
The global accountancy firm confirmed the news by saying that its Deloitte email platform was accessed from October last year through this past March and that some of its clients was affected by this email data breach.
The firm discovered the Deloitte email access incident in March, but it claims that the unknown attackers may have been doing this since October or November 2016.
The hackers were able to hack email server through an administrator account that was not properly secured using two-factor authentication (2FA), thereby giving them unauthorized access to Deloitte’s Microsoft-hosted email mailboxes.
The company has completed the overall investigation of the compromised Deloitte email platform.
“Importantly, the review enabled us to understand precisely what information was at risk and what the hacker actually did and to determine that only very few clients were impacted [and] no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.” said Deloitte in a statement to KrebsOnSecurity.
While the company has managed to find out the impact and the kind of data compromised in the Deloitte email hack, it is still unclear as to how the intrusion occurred or whether there was any email malware inside its systems.
With Deloitte email access incident, the company has become the latest victim of the high-profile cyber attack. Just last month, Equifax had publicly disclosed a breach which resulted in the compromise of 143 million US customers.
As part of the review in the hack email case, Deloitte has notified governmental authorities and regulators.
“We remain deeply committed to ensuring that our cybersecurity defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required.”
With the disclosure of the breach, the management has become concerned about the Deloitte cyber security and has started working towards enhancing the security of the firm against future attacks that involve breach due to any email malware or legacy software.
“While today’s fast-paced innovation enables strategic advantage, it also exposes businesses to potential cyber-attacks. Embedding best practice cyber behaviors helps our clients to minimize the impact on business.” the firm told about Deloitte cyber security on its website.
“Cyber risk is more than a technology or security issue, it is a business risk.”
Deloitte has its own Cyber Intelligence Centre that provides its clients with round-the-clock business focused operational security.