June 18, 2018

Data Breach at Deloitte Hitting Too Close to Home for Accountants

data breach deloitte cyber attack data breach resize

My, my. So many data breaches to talk about, it’s hard to know where to start. Caleb has already been keeping you up to date with the latest on some of the recent hacks but let’s dig in a little more about one breach in particular.

Uh oh, Deloitte

We learn time, and time again, that big firms screw up (coughAndersencough) and that’s why we enjoy reading the PCAOB reports every year. No one really pays too much mind to the PCAOB audit findings outside the industry professionals  but when you start to herald “data breach” even the non-accountants’ ears perk up to listen, and that’s not a good thing.

One of our own, beloved Big 4 made data breach headlines at the end of September. It’s more than a little embarrassing for a cybersecurity consulting expert. When Caleb shared the news last week, he predicted that:

when a scandal hits a huge company, they play it down, only to discover a week or two later that the bad event was worse than they thought.

I’d say that’s proving accurate as time passes. The initial reports seem to have downplayed the incident, saying it only had impacted a handful of clients. While it may be too soon to know the full extent of the breach (heck, I’m sure Deloitte doesn’t know for certain), the internet gossip on the matter indicates it’s probably going to become appalling as time goes on.

For instance, this KrebsOnSecurity article references a firm-wide password reset request that went out last October that seems like too much of a coincidence. And his sources claim that Deloitte may not “know exactly how much total data was taken.” The article goes on:

The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

I can’t corroborate the claims made by this anonymous source, so it’s just internet gossip at this point. But, if there is even a shred of truth behind it, I’m interested to see if anyone has the guts to go on the record about it. I don’t think whistleblower rules apply on this one, unfortunately.

Standard foot-dragging

The fear of going public with these situations causes people to avoid ripping off the band-aid and tugging one hair out at a time instead. But, that’s not really unusual, just look at Yahoo, who after four years was finally willing to admit on Tuesday, according to Reuters, that “all 3 billion accounts were compromised in the 2013 breach.” Another prime example, Forbes says that Equifax sat on their breach information for over a month before spilling the beans.

Even our good-ol’ SEC didn’t want to tell people about vulnerabilities in the EDGAR system that caused hackers to get access to nonpublic information about issuers (although, I wouldn’t be surprised if the SEC actually didn’t know until this August.) Per the WSJ:

The SEC disclosed in September that EDGAR was hacked in 2016. The SEC didn’t realize until August that information gleaned from the intrusion may have allowed hackers to trade illegally, Mr. Clayton said last month.

Fair warning

In Deloitte’s case, it may stem from lax password controls such that “account access authentication [at Deloitte] simply required a single password and did not have a “two-step” verification.” Which again, is so elementary when it comes to internal control it even comes with a juice box.

But, hey, I did warn you this might happen (okay, maybe it was Verizon in their 2017 Data Breaches Investigations Report), but still, the prophecy that this would be the year of cyber espionage is coming to fruition. Does this ring a bell:

In sum, here are the recommendations for financial services firms… ‘Taunt them a second time—Use two-factor or multi-factor authentication…’

Those RSA tokens aren’t just for show, and they can’t always protect you if an administrator account is compromised.

But, at the end of the day, what’s the consequence for Deloitte? A PR nightmare and maybe some fines? A congressional hearing? Lost clients and revenue? I have a feeling, not much. And, while EY may get roped into the Equifax debacle over internal controls, who can we point to for Deloitte’s current mess? Who issues a SOC 2 over Deloitte’s systems? Anyone?

Image: Photo by William Iven on Unsplash

Related articles

KPMG Has Gotten Tired of KV Pharmaceutical’s Financial Reporting Side Effects

Last week we ran a post courtesy of Sheryl Nash at CFOZone that discussed the tough 2010 that KV Pharmaceutical was having. Well, it’s getting worse. KPMG, not completely adverse to risk,ps and has dropped KVP like a sack of spuds.

In an 8-K rammed through just before quitting time yesterday, “On June 25, 2010, KPMG LLP (“KPMG”) notified K-V Pharmaceutical Company (the “Registrant” or the “Company”) that it had resigned from its engagement as the Registrant’s principal accountant. KPMG’s resignation was not recommended or approved by the Audit Committee of the Registrant’s Board of Directors.”

What was the problem, you ask? Where do we start? There’s a lot in this 8-K so we’ve bolded the good parts for you:

KPMG’s report on the consolidated financial statements of the Registrant and subsidiaries as of and for the year ended March 31, 2009 contained a separate paragraph stating that “As discussed in Note 3 to the consolidated financial statements, the Company has suspended the shipment of all products manufactured by the Company and must comply with a consent decree with the FDA before approved products can be reintroduced to the market. Significant negative impacts on operating results and cash flows from these actions including the potential inability of the Company to raise capital; suspension of manufacturing; significant uncertainties related to litigation and governmental inquiries; and debt covenant violations raise substantial doubt about the Company’s ability to continue as a going concern.”

The audit report of KPMG on the effectiveness of internal control over financial reporting as of March 31, 2009 did not contain any adverse opinion or disclaimer of opinion, nor was it qualified or modified as to uncertainty, audit scope, or accounting principles, except that KPMG’s report indicates that the Registrant did not maintain effective internal control over financial reporting as of March 31, 2009 because of the effect of material weaknesses on the achievement of the objectives of the control criteria and contains an explanatory paragraph that states “Material weaknesses have been identified and included in management’s assessment in the areas of entity-level controls (control awareness, personnel, identification and addressing risks, monitoring of controls, remediation of deficiencies and communication of information), financial statement preparation and review procedures (manual journal entries, account reconciliations, spreadsheets, customer and supplier agreements, stock-based compensation, Medicaid rebates and income taxes) and the application of accounting principles (inventories, property and equipment, employee compensation, reserves for sales allowances and financing transactions).

We’ll interject here with…why didn’t they just admit, “We have internal controls in place but they suck. Every last one of the controls is ineffective and we’re really not sure they’re being performed anyway. In fact, we don’t even employee people with accounting degrees. We have a weekend COSO crash course to get temps up to speed.” ?

Back to the filing:

As of the date of their resignation, KPMG had not completed the audit of the consolidated financial statements and the effectiveness of the internal controls over financial reporting of the Registrant as of and for the year ended March 31, 2010. KPMG had informed the Audit Committee prior to the date of their resignation that upon completion of their audit of the consolidated financial statements as of and for the year ended March 31, 2010 they expected their audit report would contain a separate paragraph expressing substantial doubt about the Registrant’s ability to continue as a going concern and their report on internal controls over financial reporting would indicate that the Registrant did not maintain effective internal control over financial reporting as of March 31, 2010 because of the effect of material weaknesses reported as of March 31, 2009 that had not been remediated.

We’d continue but it’s probably not necessary.