Deloitte confirms hack exposed email system

It's said that a lack of two-factor authentication on an administrator's account failed to keep attackers out.
Written by Zack Whittaker, Contributor

(Image: file photo)

Tax and auditing giant Deloitte has confirmed it was targeted by a cyberattack, resulting in the theft of confidential documents and emails.

The New York-headquartered company confirmed the breach in an email to sister-site CNET after news of the breach was first reported by The Guardian.

In an email, the company said that there had been no disruptions to client businesses or its own operations.

Deloitte stands as one of the largest private companies in the US, which reported $38.8 billion in revenue last fiscal year. It offers tax, auditing, consulting, and cybersecurity advisory services to major governments and large Fortune 500 multinationals.

But it was the company's own cybersecurity effort that was undermined, according to The Guardian's report.

The report said that the unknown attacker gained access to the email server's administrator account, giving the attacker unfettered access to the company's Microsoft-hosted email mailboxes.

The account did not have two-factor authentication, which would have alerted the account owner to unauthorized use of the account, and may have prevented the attacker's access.

Lack of two-step verification led to a similar, albeit smaller breach of the UK parliament's email systems earlier this year.

The company declined to say which clients or companies were affected, but The Guardian said six clients of Deloitte were told that their data was affected by the breach, including US government departments. The attackers also had access to sensitive corporate documents within those inboxes.

Deloitte said that it is "implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte," and that it's contacting governmental and regulatory authorities. The company did not say which authorities, however.

Deloitte, when reached, would not address several of our questions prior to publication.

Deloitte is the latest corporate giant that's been hit as a result of a high-profile cyberattack. Last month, Equifax revealed its systems had been breached, affecting as many as 143 million consumers. And, earlier this month, the Securities and Exchange Commission, which regulates the US securities industry, said that a hack on its systems may have given attackers access to gain advantages in stock trading.

Editorial standards