1

The Deloitte. Data Breach

Prepared by:
Basir Noory
Sheila Gutierrez
Haojie He
Jonathan Davila
Arsalan Ahmed

Table of Contents
Page Number
1. Background 2-3
2. Recommendations 4-5
3. Looking Forward 6-7
4. Sources 8-9
 2

Deloitte Data Breach

Background:
Deloitte, one of the biggest accounting firms and a major player in cybersecurity
consulting, experienced a data breach of its internal email systems in the Fall of 2016. The
company provides various services including tax consulting, auditing, financial advisory, risk
management, cybersecurity advising to some of the world’s biggest banks, government
agencies, and multinational companies. According to multiple reports, the breach granted the
perpetrators access to personal data of some of Deloitte’s top clients including large, well-
known companies and U.S. government agencies. In addition to that, The Guardian reported,
“The Guardian understands the hackers had potential access to usernames, passwords, IP
addresses, architectural diagrams for businesses and health information. Some emails had
attachments with sensitive security and design details.” The breach is believed to have mostly
affected Deloitte’s U.S. clients. Unfortunately, as has become the face-saving norm among
many corporations dealing with security breaches, Deloitte did not disclose nor acknowledge
the breach publicly until September of 2017. Investigators believe such concealment took place
because of evidence of an urgent request by Deloitte to all its employees in the United States to
change their passwords and personal identification numbers (PINs) in October of 2016. That
was almost twelve months before they announced the compromise to their affected clientele.
In fact, it was initially regarded as so confidential that for a significant period only the top
executives and senior lawyers of the company were aware of the situation. In addition to
covering up the breach, the company attempted to downplay the extent of the breach when
they ultimately decided to make it public amid pressure. In response to a request made by
KrebsOnSecurity.com, Deloitte acknowledged the incident and issued the following statement:
“The review of that platform is complete. Importantly, the review enabled us to
understand precisely what information was at risk and what the hacker actually did and
to determine that only very few clients were impacted [and] no disruption has occurred
to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.”
Although the statement was initially perceived as assurance of no significant compromise
of clients’ data, an anonymous source from inside Deloitte investigating the incident informed
KrebsOnSecurity.com otherwise. The source is said to have confirmed The Guardian’s claim that
the breach was on a much larger scale than originally reported by Deloitte. It evidently included
all the admin accounts and the entire email database of the company. However, despite such a
broad intrusion, Deloitte is cited to have chosen not to inform their cyber-intel clients. “Cyber-
intel,” according to KrebsOnSecurity.com, “refers to Deloitte’s Cyber Intelligence Centre, which
provides 24/7 ‘business-focused operational security’ to several big companies, including CSAA
Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.”
 3

The question as into how the hackers exploited Deloitte’s security measures to gain
access into their systems was somewhat of a mystery as the company declined to mention while
investigations were ongoing. Eventually however, it was embarrassingly revealed by an unnamed
source to The Guardian that the incident stemmed from a hacker breaking into the firm’s global
email server by apparently taking control of a high-level administrator account that provided
unrestricted access to company information. Many researchers and cybersecurity experts have
since criticized Deloitte for the lack of proper security measures in place at accounts with such
privileges. The Guardian further mentioned that, “The account required only a single password
and did not have ‘two-step’ verification.” For this reason, some prominent experts have mocked
Deloitte for ironically failing to take its own pills. The mockery was also directed towards Gartner,
a global research and advisory firm, that ranked Deloitte as the number one cybersecurity
consulting firm in the world in the year 2016.
Deloitte never revealed or could not determine who was behind the intrusion into their systems
and what the motives were. No one has yet claimed responsibility either. However, Fortune
magazine reported, “The nature of the attacks suggest the hackers were commercially motivated
and seeking confidential information to sell or use for insider trading.” Whether or not the
hackers and their motives will ever be reported or shared, is yet to be determined. This document
provides recommendations to help companies avoid potential data breaches.
 4

Recommendations:
Preventive Actions:
1. Suspend Unencrypted Data Transmission: Mandate encryption of all data communications, this
includes data 'at rest' and 'in motion.' Also, acknowledge encrypting email within Deloitte if
personal data is being transferred. Avoid utilizing Wi-Fi networks while conducting business; they
may cause the interference with the data. (Preventive)

2. Secure All Computers: Implement Two-Step verification and password protection with 'time-out'
functions (requires re-login after periods of inactivity) for all workstations. Train employees to
never leave laptops unattended. Restrict telecommunication between company-owned
computers and BYODs. Require the use of strong passwords that should be updated frequently.
Do not store personal data on a computer connected to the network unless it is crucial for
conducting business. (Preventive)

3. Control Computer Usage: Restrict employees to use computers for business related work only.
Do not authorize employees to use file sharing, peer-to-peer websites, or software applications.
Block access to inappropriate sites and forbid the use of unapproved software on corporate
networks.

4. Restrict VPN Networks: Don’t allow employees to share VPN and network account information
of the company on any public websites such as: GitHub or Google+. As one of the big four
Accounting firm, Deloitte should understand that they are always targeted by hackers.
Therefore, they shouldn’t let any employees share any VPN or network account to others.

Detective Actions:
1. Scan network ports: Scan network ports o find out which model of equipment has been
attacked by using some tools like map. We can understand the vulnerability in the site and the
situation of network port by using the port scanning. We also can use Shodan to know about
how the equipment is running from the external environment.

2. Penetration Testing: The best way to measure how good the defense we have is to attack it.
Hiring a security expert to simulate an attack may allow us to develop a new defense strategy
and keep up with the latest security trends.

3. Logging systems: Create logging system that keep track of the time and location of certain users
accessing company systems. If an unauthorized log-in was made from an outside source, the
system should be able to at least recognize that the log-in is coming from the outside.
 5

Responsive Actions:

1. Prioritize vital resources: As an affected company by a data breach, it is important to not lose
any vital resources. This includes the customer base. Providing aid and resources to those
affected would be a responsible action taken by a company that seeks to prevent further
damage. By taking some responsibility, the company would show customers that they are doing
everything in their power to maintain their integrity and credibility.

2. Critical Investigation: The company should focus more attention on investigating what initiated
the original breach. In the case of Deloitte, the account that was breached failed to have a
secondary verification. This means they should implement new policies that would require
employees to have no less than 2 forms of verification. While this may be a response to the
initial breach, this will at the same time help prevent another breach.

3. New Passwords: Regardless of how often passwords are changed (or not), the company should
consider changing them all over again as to rid of any compromised credentials that can furlong
the breach even more. This applies if the cyber criminals were somehow able to record all log-in
credentials across the company. New and strong passwords would render all those stolen
credentials useless to the criminals.
 6

Looking Forward: From a Bird’s Eye View

There are many network security tactics that can be applied and learned from the Deloitte data breach.
Among them is a major component of the attack: the hacking of the cloud. Moving away from
traditional database technologies to the “Cloud” is an inevitable movement to global companies.
Deloitte’s data breach compromised thousands of staff members’ e-mails and important data. This
brings up the important topic of cloud computing security measures, and the regulation updates that
can mitigate future data breaches.

With massive amounts of information coming through security systems, companies fittingly adopt many
information security products. Such products range from anti-virus software, Security Information and
Event Management (SIEM) tools, or data loss protection tools (Gaurav 2018). Companies need to have a
better understanding of what is going on throughout the different branches of a company, to be able to
detect any red flags in the system. Being able to have proper threat management tools to protect data is
important to protect a company’s information. Companies should consider the information security
objectives they have, and understand the benefits of implementing SIEM technology, with User and
Entity Behavior Analytical (UEBA) software for information security measures.

SIEM

In the Deloitte data breach, The Guardian reported that it was “believed the attackers may have had
access to its systems since October or November 2016 (Hopkins2017). This kind of threat to information
security indicates a need for focus in threat management tools. SIEM is able to compile all security
events into a large- scale database to form security reports. Rules are set in the SIEM system to allow
security alerts to be activated if they detour from the set system regulations. In short, SIEM tools help
security analysts to gain an overview of all the device and network activities in a company.

UEBA

A complement to SIEM security tools is User Entity Behavior Analytical software, which works similar to
SIEM tools, but with a greater focus on gaining an overview of individual users. This kind of technology
helps companies set a baseline for normal network user behavior. For example, anything from login
patterns, network activity patterns, or access to files, can be put into a UEBA software. From this
information, the software can determine if there are any variances in the user behavior, such as
abnormally large amounts of data downloads, inconsistent logins, or other out of the norm network
activity (Ng2017).

In the Deloitte Case, the hackers were able to essentially gain access to data from many areas through a
master administrative account. With the focus on implanting both analytical tools into information
security, Deloitte and other companies can have a better detection of variances in major administrative
accounts. Control of such accounts is fundamental in maintaining the data and important information
within appropriate hands.
 7

Cloud Transparency

As more information is stored in Cloud Services, the shift has turned to understanding how Cloud
Service Providers can protect the information they are trusted to store. More specifically, how stored
information is released or handed out to other third parties. Now, Cloud Service Providers not only have
to ensure the safety of stored information, but they must also be transparent about data privacy. If
Cloud Service Providers can gain a greater trust of its users, then more and more companies will switch
to the cloud. As more users enter the Cloud, the Cloud industry can increase its focus to advancing its
technologies and security. Ultimately, greater transparency can increase the relationship between users
and providers.

CLOUD Act

Among one of the newest additions to the data privacy laws and regulations is the CLOUD act (Clarifying
Lawful Overseas Use of Data). With this data privacy law, the U. S Government would have access to U.S
citizen’s data stored in an external “Cloud”, if countries have an executive agreement with the United
States. (Mozart 2019). It is proposed to simplify the steps needed to collect data from U.S Cloud
Computing Providers and its U.S citizens. However, the issue comes when some of the information in
the “Cloud” is stored completely outside of U.S territory. The act simultaneously makes it easier for the
U.S Government to collect “Cloud” information, all while complying to local warrants or regulations. One
major concern in implementing this act would be how Cloud Service Providers will adapt privacy
legislation into their customer service. Whereas the main concern of Cloud Service providers to its users
has been keeping a reliable and secure server, now the trend has shifted towards data privacy
regulations. Cloud Service Providers will have to comply to many international and local regulations, all
while keeping transparency with its users regarding the privacy and protections they can provide to
them.

The protection of data will continue to be a concern of companies, so understanding what analytical
tools are best to target threats in information networks. Companies will no longer suffice from SIEM
system; they will have to consider the complementing benefits of understanding individual user network
behavior through UEBA security tools. With more information entering Cloud systems, greater
transparency in security and data privacy will be inevitable for the expansion of this industry. Lastly, the
United States will continue to have national security objectives as Cloud Computing grows
internationally. While the Cloud Act aims to simplify data collection in the government, Cloud
Computing Providers will need to adjust their customer service experience to better inform users about
their data privacy rights.
 8

Sources

1. 7 Steps to Take Right After a Data Breach. (n.d.).

https://www.lifelock.com/learn-data-breaches-steps-to-take-right-after-a-data-
breach.html

2. Krebs on Security. (n.d.). Retrieved from

https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-
email-admin-accounts/

3. Hernandez, A. (2016, July 26). How To Prevent A Security Breach. Retrieved from
https://www.lawtechnologytoday.org/2016/07/how-to-prevent-a-security-breach/

4. Ng, C. (2017, August 22). The Difference Between SIEM and UBA. Retrieved February 14,
2019, from
https://www.varonis.com/blog/the-difference-between-siem-and-uba/

5. Hopkins, N. (2017, September 25). Deloitte hit by cyber-attack revealing clients' secret
emails. Retrieved February 14, 2019, from
https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-
revealing-clients-secret-emails

6. Gaurav, S. (2018, January 29). 15 Cloud Security Trends and How to Avoid Security
Breaches in 2018. Retrieved February 14, 2019, from
https://www.botmetric.com/blog/15-cloud-security-trends-2018/
7. Council, F. F. (2018, March 08). How To Protect Your Business From A Data Breach:
Seven Key Steps
https://www.forbes.com/sites/forbesfinancecouncil/2018/03/08/how-to-protect-your-
business-from-a-data-breach-seven-key-steps/#1d6043686b68

8. Mozart, M., Koutsomitis, Y., & Sato, N. (2018, May 18). What You Need To Know About
Cloud Laws and Regulations. Retrieved February 14, 2019, from
https://www.cloudwards.net/what-you-need-to-know-about-cloud-laws-regulations/

9. Rajkumar, & Ryan, O. (2019, February 04). Top 15 ways to prevent data and security
breaches.
https://bigdata-madesimple.com/15-ways-to-prevent-data-security-breaches/
 9

10. West, Jon. "FUNDAMENTALS OF A CYBERSECURITY PROGRAM: Internal auditors and

information security professionals can join forces to prepare the organization for cyber
threats." Internal Auditor Dec. 2017: 16+. Business Insights: Essentials. Web. 16 Feb.
2019.
http://bi.galegroup.com.libproxy.utdallas.edu/essentials/article/GALE%7CA520582175/
803e81a6f5f33387880234af779fde32?u=txshracd2602

11. Deloitte Was Breached Last Year, but Investigators Didn't Find Out Until March
Chris Bing –
https://www.cyberscoop.com/deloitte-breach-2017/

12. Deloitte 4+ Months Late on Breach: New Poster Child For Bad Security Practices?
Richi Jennings –
https://techbeacon.com/security/deloitte-4-months-late-breach-new-poster-child-bad-
security-practices
10