Another day, another email hack that a company kept hidden from customers for months.
Deloitte confirmed on Monday that the global accounting firm was a victim of a cyber attack that infiltrated the company’s email system, stored on Microsoft Azure’s cloud platform. The hacker infiltrated the company’s email server via an administrator’s account that did not have two-step verification.
Deloitte first discovered the attack in March, as reported by The Guardian, but hackers may have had access to Deloitte’s email system as far back as the end of 2016.
The full extent of the data breach is still unknown, but it could have wide-ranging repercussions. As one of the largest private firms in the United States, Deloitte works with large brand-name companies and government entities alike -- all of which may be impacted.
In addition to emails that may have contained sensitive information, the breach may also have exposed usernames, passwords, IP addresses, and confidential business documents.
The news of Deloitte’s breach comes on the heels of Equifax’s announcement that 143 million Americans had their personal information stolen, including social security numbers, in a data hack in May.
“The financial sector is getting an unprecedented wake-up call in case any had grown complacent -- with targets in just a matter of weeks being one of the ‘big four’ accountancy firms, one of the 'big three' credit monitoring agencies, and the U.S. Securities and Exchange Commission,” says John Christly, chief information security officer at security company Netsurion.
Christly says that every organization “must take the stance that they either have been or will soon be breached.”
In addition to two-factor authentication, he recommends that organizations implement effective monitoring solutions that intelligently detect incidents and respond quickly to them.