Poor Password Policy, Lack of 2FA Led to Deloitte Breach
The exploited admin account had just a single password and lacked two-step authentication.
Another day, another major company hacked—this time Deloitte. For those that don’t know Deloitte, it’s one of the “big four” accountancy firms in the world. Headquartered in New York, Deloitte offers financial services, including consultation on cyber security. In fact, in 2012, Deloitte was ranked the top cyber security consultant in the world.
Apparently, a lot can change in five years.
Deloitte discovered the hack in March, but believes the attackers may have had access since Fall of 2016. So far, according to The Guardian, six of Deloitte’s clients have been told their information was “impacted” by the incident, they include “household names” and US government departments.
Deloitte has been very secretive about the breach owing to the high-profile nature of its clientele. The company took in some $37-billion dollars in 2016 and has relationships with some of the biggest, most influential companies in the world.
In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.
So far, the breach appears to have focused on the US and is regarded as so sensitive that only a handful of partners at the highest level have been informed as to the extent of the breach. The company’s investigation is code-named “Windham.”
Once Again, The Human Element is to Blame
This wasn’t some highly sophisticated attack that broke key systems or exploited a major vulnerability. There was no day-one involved. The attackers infiltrated through an admin account that was only secured with a single password and didn’t have two-factor authentication enabled.
This is purely human error.
Much like Equifax could’ve prevented its breach by simply patching its systems, Deloitte would not be in this position if it had done more to secure its accounts. This is a company that stores sensitive, potentially market-altering information on some of the largest, most important companies in the world and all that stood between that data and the outstretched arms of hackers was a single password.
At the very least, enable two-factor authentication. I have no idea whether it was a conscious decision not to, or else just pure negligence, but in 2017 if you don’t have 2FA set to secure your accounts you almost deserve to get hacked. There are 11 year-olds with Facebook accounts that have stronger security than Deloitte did.
So, if you’re a business owner or just a regular person, enable two-factor authentication, two-factor verification – whatever you want to call it – anywhere that you can. It’s debatable how useful passwords even are more nowadays. Getting through password security is actually fairly easy with the right tools. So, adding additional security mechanisms is highly recommended.
Keep an eye out for this story, it’s probably going to blow up.
What we Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- Deloitte discovered a breach in its systems back in March
- The attackers may have had access since October or November of 2016
- The hackers exploited an admin account that was protected by a single password and didn’t have 2FA
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown