When it comes to data breaches, solution providers themselves are becoming a target, with a report Monday that consulting giant Deloitte, No. 18 on the 2017 CRN Solution Provider 500 list, had been hacked.
A Guardian report Monday said a Deloitte global email server was hacked, which gave hackers access to emails to and from the company's staff, as well as customer information on some of the company's top federal and private sector clients. The report said the hackers could have also accessed other information, such as usernames, passwords, IP addresses and architectural design diagrams.
The report said Deloitte discovered the attack in March. It said the hackers had been in the company's systems for months, stretching back to October or November 2016.
The report said Deloitte was not using two-factor authentication on the email server, which it said was hosted on the Azure cloud service. It said the server was compromised through an admin account.
Deloitte confirmed the hack to the Guardian, but said only a few clients were impacted by the attack. It said it has engaged in a "comprehensive security protocol," investigation, and notified clients at risk. The Guardian said it appears that Deloitte has also engaged with an outside legal firm around the issue.
Deloitte has not yet replied to CRN requests for comment on the breach, and to what extent it impacted the company's consulting and services customers.
The breach adds to a growing trend around third-party breaches, in which hackers attack a company with the ultimate goal of hacking a company they do business with or are integrated with. The classic example of this type of attack is the hack of an HVAC vendor, which led to the mega data breach at Target in 2013.
A key set of companies in that third-party breach ecosystem is the solution provider channel. Companies like Deloitte, which offers audit, tax consulting, technology consulting and cybersecurity services, are a tantalizing vector of attack for hackers looking to get information on their clients, especially given the deep technical integration and company information required for things like consulting and managed services.
Alton Kizziah, vice president of global managed services at Kudelski Security, said data breaches, like this one, are particularly concerning for managed security services providers.