Deloitte reportedly suffered hack during email migration to Office 365
- Deloitte's disclosure of its "sophisticated hack" last month is reportedly worse than first revealed, according to The Guardian. The hack allegedly exposed a server holding emails of about 350 clients including the U.S. Departments of State, Energy, Homeland Security and Defense.
- The attack reportedly occurred during Deloitte's email migration and upgrade from an onsite system to Microsoft's cloud software, Office 365. Sources told The Guardian that the hackers infiltrated Deloitte's system using its email platform through a single password portal.
- As of now, Deloitte cannot be "100% sure what was taken" by the hackers, according to the report, but Deloitte claims only six of its clients had information compromised. Other impacted organizations include the U.S. Postal Service, the United Nations, the National Institutes of Health, Frannie Mae and Freddie Mac and soccer's FIFA.
Deloitte originally claimed the attack had been reserved to a small portion of its clients' five million emails and occurred in either October or November 2016, according to an initial report. The hack is believed to have compromised data including usernames, passwords, IP addresses and "architectural diagrams" of partnered organizations.
Multi-factor authentication is the extra level of security Deloitte needed to avoid such an attack. Unsecure portals to classified information is the gateway hackers look to exploit the most. The security firm has since implemented more multi-factored authorization and encryption features.
Still, Deloitte's failings are an embarrassment for the consulting firm, especially following Equifax's mass data breach last month. However, companies are now concerned with the security of their partnered third-party vendors, although they are worth the risk.
Savvy hackers are exploiting platforms used by companies like Deloitte. Cloud vendors, such as those used by Verizon and the WWE, both suffered exposed data after storage controls were left unsecure. While the responsibility ultimately falls on the impacted company, vigilant watch over potential data access points is needed in IT departments.