Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Report: Deloitte Suffered Breach Last Year

Hackers Breached Emails, Client Data Stored In Microsoft Azure Cloud Service
Report: Deloitte Suffered Breach Last Year
Foreground: Deloitte headquarters in New York City. (Photo: Dylan, via Flickr/CC)

Add Deloitte too the tally of organizations that have suffered a breach that was discovered this year.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The "big four" accounting firm, based in New York, suffered a breach last year that may have exposed 5 million internal emails as well as "usernames, passwords, IP addresses, architectural diagrams for businesses and health information," the Guardian first reported. Some exposed emails may have also contained attachments with sensitive or security-related details, according to the news report.

Deloitte discovered it had been breached in March, and it believes the breach began in October or November of last year, the Guardian reports. On April 27, Deloitte hired the U.S. law firm Hogan Lovells on "special assignment" to investigate the suspected breach.

The global accounting firm did not immediately respond to Information Security Media Group's request for comment. But it confirmed the breach to the Guardian, claiming that only "a very small fraction of the amount that has been suggested" of exposed data was at risk and that only a small number of customers had been "impacted."

Deloitte had $38.8 billion in revenue for its most recent fiscal year.

"In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilizing a team of cybersecurity and confidentiality experts inside and outside of Deloitte," a spokesman tells the Guardian. "As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators."

Deloitte did not specify which government authorities or regulators it informed.

"The review has enabled us to understand what information was at risk and what the hacker actually did and demonstrated that no disruption has occurred to client businesses, to Deloitte's ability to continue to serve clients, or to consumers," the spokesman says. "We remain deeply committed to ensuring that our cybersecurity defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required.

"Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested."

The Guardian reports that attackers breached Deloitte's Azure cloud service, provided by Microsoft, which stored emails to and from the accountancy firm's 244,000 staff.

Follows Equifax Breach

News of the reported Deloitte breach follows credit reporting agency Equifax on Sept. 7 warning that it suffered one of the most severe breaches of U.S. consumers' personal information in history. Information on 143 million U.S. consumers was exposed, including names, birthdates, addresses, Social Security numbers and in some cases driver's license numbers. Also exposed were 209,000 payment card details and documents related to credit disputes that affected 182,000 people (see Credit Union Sues Equifax Over Breach-Related Fraud Costs ).

Equifax has been widely criticized by multiple U.S. lawmakers for failing to rapidly inform affected consumers.

"Equifax has had a very poor response and I'm disappointed in them," says Rep. Jim Langevin, D-Rhode Island, the Wall Street Journal reports. "As good corporate citizens, I believe Equifax owes much more transparency to consumers."

Langevin is one of a group of Democratic lawmakers pushing for new laws to help safeguard individual's personal details, hold data brokers accountable as well as set a national breach-notification standard to replace the patchwork of states' laws that now apply.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.