Poor Password Policy, Lack of 2FA Led to Deloitte Breach
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Poor Password Policy, Lack of 2FA Led to Deloitte Breach

The exploited admin account had just a single password and lacked two-step authentication.

Another day, another major company hacked—this time Deloitte. For those that don’t know Deloitte, it’s one of the “big four” accountancy firms in the world. Headquartered in New York, Deloitte offers financial services, including consultation on cyber security. In fact, in 2012, Deloitte was ranked the top cyber security consultant in the world.

Apparently, a lot can change in five years.

Deloitte discovered the hack in March, but believes the attackers may have had access since Fall of 2016. So far, according to The Guardian, six of Deloitte’s clients have been told their information was “impacted” by the incident, they include “household names” and US government departments.

Deloitte has been very secretive about the breach owing to the high-profile nature of its clientele. The company took in some $37-billion dollars in 2016 and has relationships with some of the biggest, most influential companies in the world.

In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.

So far, the breach appears to have focused on the US and is regarded as so sensitive that only a handful of partners at the highest level have been informed as to the extent of the breach. The company’s investigation is code-named “Windham.”

Once Again, The Human Element is to Blame

This wasn’t some highly sophisticated attack that broke key systems or exploited a major vulnerability. There was no day-one involved. The attackers infiltrated through an admin account that was only secured with a single password and didn’t have two-factor authentication enabled.

This is purely human error.

Much like Equifax could’ve prevented its breach by simply patching its systems, Deloitte would not be in this position if it had done more to secure its accounts. This is a company that stores sensitive, potentially market-altering information on some of the largest, most important companies in the world and all that stood between that data and the outstretched arms of hackers was a single password.

That’s egregious.

At the very least, enable two-factor authentication. I have no idea whether it was a conscious decision not to, or else just pure negligence, but in 2017 if you don’t have 2FA set to secure your accounts you almost deserve to get hacked. There are 11 year-olds with Facebook accounts that have stronger security than Deloitte did.

So, if you’re a business owner or just a regular person, enable two-factor authentication, two-factor verification – whatever you want to call it – anywhere that you can. It’s debatable how useful passwords even are more nowadays. Getting through password security is actually fairly easy with the right tools. So, adding additional security mechanisms is highly recommended.

Keep an eye out for this story, it’s probably going to blow up.

What we Hashed Out (for Skimmers)

Here’s what we covered in today’s discussion:

  • Deloitte discovered a breach in its systems back in March
  • The attackers may have had access since October or November of 2016
  • The hackers exploited an admin account that was protected by a single password and didn’t have 2FA


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.