Deloitte Hit By Data Breach, Customer Information Reportedly Exposed

When it comes to data breaches, solution providers themselves are becoming a target, with a report Monday that consulting giant Deloitte, No. 18 on the 2017 CRN Solution Provider 500 list, had been hacked.

A Guardian report Monday said a Deloitte global email server was hacked, which gave hackers access to emails to and from the company's staff, as well as customer information on some of the company's top federal and private sector clients. The report said the hackers could have also accessed other information, such as usernames, passwords, IP addresses and architectural design diagrams.

The report said Deloitte discovered the attack in March. It said the hackers had been in the company's systems for months, stretching back to October or November 2016.

[Related: Solution Providers: Equifax Breach Shows Incident Response Needs To Include The 'Nontechnical' As Well]

Sponsored post

The report said Deloitte was not using two-factor authentication on the email server, which it said was hosted on the Azure cloud service. It said the server was compromised through an admin account.

Deloitte confirmed the hack to the Guardian, but said only a few clients were impacted by the attack. It said it has engaged in a "comprehensive security protocol," investigation, and notified clients at risk. The Guardian said it appears that Deloitte has also engaged with an outside legal firm around the issue.

Deloitte has not yet replied to CRN requests for comment on the breach, and to what extent it impacted the company's consulting and services customers.

The breach adds to a growing trend around third-party breaches, in which hackers attack a company with the ultimate goal of hacking a company they do business with or are integrated with. The classic example of this type of attack is the hack of an HVAC vendor, which led to the mega data breach at Target in 2013.

A key set of companies in that third-party breach ecosystem is the solution provider channel. Companies like Deloitte, which offers audit, tax consulting, technology consulting and cybersecurity services, are a tantalizing vector of attack for hackers looking to get information on their clients, especially given the deep technical integration and company information required for things like consulting and managed services.

Alton Kizziah, vice president of global managed services at Kudelski Security, said data breaches, like this one, are particularly concerning for managed security services providers.

"It's shocking and scary and we're definitely worried about it," Kizziah said. "We do a lot of things to specifically prevent this type of attack. … It is very stressful and very worrying when you see these things to think we could be a conduit for an attack on one of our clients."

A report earlier this year highlighted that trend, finding that managed service providers are increasingly being targeted by a major APT group, as they serve as a third-party vector of attack into end-target customer accounts. The report, by the National Cyber Security Centre, BAE Systems and PricewaterhouseCoopers UK, found that China-based hacking group APT10 has been targeting managed service providers and others with "common as well as custom malware."

A blog post by BAE Systems said MSPs offer a tantalizing target for attacks because while they offer a way for companies to enable their businesses around technology, the "network connectivity which exists between MSPs and their customers also provides a vector for attackers to jump through."

"Successful global MSPs are even more attractive as they become a hub from which an intruder may access multiple end-victim networks," the blog post said. The post said companies have been tracking attacks at "several major MSPs" since late 2016, attributing them to this APT10 group. It said activity by this group increased in the middle of last year.

FireEye also issued a blog post following the PwC and BAE Systems report, saying its own iSight threat intelligence had seen a "resurgence" in APT10 activity in June 2016, targeting universities, construction, engineering, aerospace and telecom firms. It said it had also seen APT10 activity at "multiple IT service providers worldwide."

Kizziah said Kudelski does see "a lot of stuff" coming after its own business, especially phishing attacks. However, he said the company is "constantly working" to test its own systems to find weaknesses. He said Kudelski also takes measures to protect client privacy and data, saying it limits the amount of client data it keeps and puts multiple steps in between client systems and its own to make it much harder for hackers to use Kudelski as a jumping-off point for an attack. He said the company does not store and cannot even read client passwords, which were one of the pieces of information reportedly exposed in this breach.

Kizziah said that was a particular focus for the managed service provider when it rebuilt its managed service practice last April. He said the company made a "significant investment" and had many people on the team focusing on how to prevent attacks on Kudelski being used as a vector to attack clients.

"I feel pretty good about where we are, but that doesn't mean we aren't worried," Kizziah said. "We spent a lot of time when we started up getting everything set up to serve our clients. One of the things you hear a lot is that we want to be an extension of the team and clients' security partner, instead of just a provider."

Kizziah said he expects existing clients will ask questions of Kudelski following the Deloitte attack to see what security measures are in place. He said the company, which competes with Deloitte, doesn't usually see an uptick in new business inquiries around this type of data breach.