Deloitte, one of the ‘Big Four’ companies in the corporate world, is the latest mega-entity to face a cyber attack.
With a history of providing tax services and financial risk advice to some of the world’s biggest companies, it is ironical to note that the firm that made a mark for itself in the world of cyber security consulting is today struggling with cybersecurity.
Today, in this era of technological advancement, almost all our needs—financial or otherwise—are dealt with digitally. In such a scenario, our greatest threat is not from thieves and robbers. Rather, it is cyber intruders who must be feared.
The gravity of this new norm was reiterated following the recent cyber attack to Deloitte, one of the largest global accounting firms. In March, the accounting giant discovered that confidential data pertaining to six of its major U.S. clients was being accessed by some unauthorized personnel.
On further inspection, it was found that the hackers had access to the data since last fall (October through November 2016). The breached information included passwords, emails, and other confidential data.
The fact that all the security breaches were U.S.-specific raises many questions. Hackers managed to gain access to the company’s email server through an administrator account that was not secured using two-factor authentication, which is one of most common loopholes hackers use to breach a system.
This granted the attackers unrestricted access to Deloitte’s Microsoft-hosted email accounts. Once that was achieved, the hackers had complete access to usernames, passwords and IP addresses. They also had potential access to architectural diagrams for businesses, as well as some health information.
Deloitte published a statement that said only a few clients were impacted by the cyber attack, adding that the incident didn’t disrupt clients’ businesses from operating as usual. But the official figures for how much of the data has been used (or rather misused) have not yet been declared.
The company also has not released the hard numbers, nor has it indicated whether the hack affected individuals.
However, the manner in which the entire process was executed shows that there was a lot of meticulous planning involved, indicating that the hackers behind the cyber attack likely have the sophistication and knowledge to execute the whole process successfully.
Speculation within the cyber world has theorized that the attacks were focused on corporate clients and not individual clients. However, this is just a speculation, and its reliability has not been confirmed by official sources.
To date, no individual or company has taken up responsibility for the attack. Thus, it is yet to be established if it was a lone wolf, business rivals or state-sponsored hackers who were responsible for this massive assault.
However, the fact that the cyber attack appeared to target email systems to gain access to client information—possibly corporate client information—suggests the hack may have been financially motivated.
It is interesting to note that Deloitte is not the first high-profile company to be targeted by cybercriminals. Many IT firms and accounting companies are falling into the traps posed by cyber attackers, some paying thousands of dollars to get their confidential data back after a breach.
A couple of weeks ago, credit-checking giant Equifax revealed that confidential data belonging to 140 million customers had been compromised in a security breach.
The lesson that the Equifax attack was supposed to teach the corporate world was finally learnt following the Deloitte attack. The firm set up a team of dedicated and highly qualified cyber experts who were responsible for everything concerning this matter. Once this team was mobilized, an intensive and thorough review was initiated.
With Deloitte coming up with new comprehensive security protocols, other corporate entities are also taking note of the ways to prevent such a cyber attack from taking hold of their own firms.
If such stringent measures are adopted on a large scale, it’s possible that cybercrime operations specifically targeting corporate giants can be a thing of the past.