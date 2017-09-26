Deloitte, one of the largest private US companies and a leading source of cyber-security advice for corporates, has had it email server hacked using legit credentials, client details revealed, attackers on system for months and no 2FA.

Five years ago Gartner ranked the big-four accounting firm Deloitte as number one in cyber-security, but today it has been reported that usernames, passwords and personal details of some of its leading clients have been obtained by hackers.

The Guardian newspaper reports that the London registered company with global headquarters in New York, had its email system hacked, possibly as long ago as October or November 2016, but it discovered the breach in March this year. With a reported US$37 billion revenue last year, it is one of the largest private firms in the US, and as well as accountancy services, provides “high-end cyber-security advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies,” according to the report which notes that at least six major clients have been informed that their data is impacted.

All emails to and from Deloitte's 244,000 staff are stored in an Azure cloud service, provided by Microsoft and it appears that an “administrator's account” was used to give the hackers unrestricted “access to all areas.”

According to the report, on 27 April Deloitte hired US law firm Hogan Lovells on “special assignment” to review what it called “a possible cyber-security incident” with the investigation subsequently codenamed “Windham.”

The Guardian quotes a spokesperson saying, “In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cyber-security and confidentiality experts inside and outside of Deloitte. As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” adding “.... no disruption has occurred to client businesses, to Deloitte's ability to continue to serve clients, or to consumers.”

Only a small fraction of the reported five million emails at risk are reported to have actually been accessed.

This article originally appeared at scmagazineuk.com