• Big 4

    Data Breach at Deloitte Hitting Too Close to Home for Accountants

    By | October 6, 2017

    My, my. So many data breaches to talk about, it’s hard to know where to start. Caleb has already been keeping you up to date with the latest on some of the recent hacks but let’s dig in a little more about one breach in particular.

    Uh oh, Deloitte

    We learn time, and time again, that big firms screw up (coughAndersencough) and that’s why we enjoy reading the PCAOB reports every year. No one really pays too much mind to the PCAOB audit findings outside the industry professionals  but when you start to herald “data breach” even the non-accountants’ ears perk up to listen, and that’s not a good thing.

    One of our own, beloved Big 4 made data breach headlines at the end of September. It’s more than a little embarrassing for a cybersecurity consulting expert. When Caleb shared the news last week, he predicted that:

    when a scandal hits a huge company, they play it down, only to discover a week or two later that the bad event was worse than they thought.

    I’d say that’s proving accurate as time passes. The initial reports seem to have downplayed the incident, saying it only had impacted a handful of clients. While it may be too soon to know the full extent of the breach (heck, I’m sure Deloitte doesn’t know for certain), the internet gossip on the matter indicates it’s probably going to become appalling as time goes on.

    For instance, this KrebsOnSecurity article references a firm-wide password reset request that went out last October that seems like too much of a coincidence. And his sources claim that Deloitte may not “know exactly how much total data was taken.” The article goes on:

    The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

    “Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.

    This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

    I can’t corroborate the claims made by this anonymous source, so it’s just internet gossip at this point. But, if there is even a shred of truth behind it, I’m interested to see if anyone has the guts to go on the record about it. I don’t think whistleblower rules apply on this one, unfortunately.

    Standard foot-dragging

    The fear of going public with these situations causes people to avoid ripping off the band-aid and tugging one hair out at a time instead. But, that’s not really unusual, just look at Yahoo, who after four years was finally willing to admit on Tuesday, according to Reuters, that “all 3 billion accounts were compromised in the 2013 breach.” Another prime example, Forbes says that Equifax sat on their breach information for over a month before spilling the beans.

    Even our good-ol’ SEC didn’t want to tell people about vulnerabilities in the EDGAR system that caused hackers to get access to nonpublic information about issuers (although, I wouldn’t be surprised if the SEC actually didn’t know until this August.) Per the WSJ:

    The SEC disclosed in September that EDGAR was hacked in 2016. The SEC didn’t realize until August that information gleaned from the intrusion may have allowed hackers to trade illegally, Mr. Clayton said last month.

    Fair warning

    In Deloitte’s case, it may stem from lax password controls such that “account access authentication [at Deloitte] simply required a single password and did not have a “two-step” verification.” Which again, is so elementary when it comes to internal control it even comes with a juice box.

    But, hey, I did warn you this might happen (okay, maybe it was Verizon in their 2017 Data Breaches Investigations Report), but still, the prophecy that this would be the year of cyber espionage is coming to fruition. Does this ring a bell:

    In sum, here are the recommendations for financial services firms… ‘Taunt them a second time—Use two-factor or multi-factor authentication…’

    Those RSA tokens aren’t just for show, and they can’t always protect you if an administrator account is compromised.

    But, at the end of the day, what’s the consequence for Deloitte? A PR nightmare and maybe some fines? A congressional hearing? Lost clients and revenue? I have a feeling, not much. And, while EY may get roped into the Equifax debacle over internal controls, who can we point to for Deloitte’s current mess? Who issues a SOC 2 over Deloitte’s systems? Anyone?

    Image: Photo by William Iven on Unsplash

    • Goodwill Hunting

      “Who issues a SOC 2 over Deloitte’s systems?” Joke aside, that’s a fair question to ask. Shouldn’t they be able to demonstrate that they have a sound internal control in the first place before doing so for clients ?

      • Big4Veteran

        No. Those who can, do. Those who can’t, audit.

    • Bob Hirth

      the (coughAndersencough) comment is getting a little old -15 years old
      and someone might not have told you that the US Supreme court overturned that verdict-( indictment and not verdict actually put the firm out of operation due to the duty of boards to evaluate the status of their auditor)- so, it’s kind of an N/A comment- or cover it as a big flub in our legal system not the failure of a firm.
      it’s also off point to the topic- cyber security
      while I’m at it- unfortunately due to the passage of time, a dwindling number of great business people remember AA as a wonderfully unique and terrific firm- it created a ton of outstanding business and community leaders and pushed the accounting and consulting profession forward in many areas. In fact several excellent leaders in the current Big 6 firms trace their roots back to AA.

      • $gross_prophet$

        We can go on and on about how AA contributed to the fall of Enron. You need to accept the facts: AA committed FRAUD, which is why they’re out of business today.

        Were you the partner assigned to the Enron audit? If you are, shame on you.

        • SFguy

          Per his linkedin he was an AA partner, some people just can’t let go of the past…

          • Adam Hill

            And he graduated from SMU. Take a gander if that school had any issues with their football program in the late 70s early 80s. Is COSO going down next?

            • TechyAccountant

              All SMU grads are humble people.

            • $gross_prophet$

              Except those that went to work for AA and later became partners. Those are what we call “douchebags”

        • Big4Veteran

          AA didn’t contribute to the fall of Enron. They didn’t do anything to stop the fall of Enron either. That was part of the problem. The other part of the problem is that they broke the law to try to cover up their role in massively failed audits.

          • $gross_prophet$

            I agree. They broke the law. Their criminal mischief caught up to them in the long run.

      • Adam Hill

        No, aa kept on smelling their own farts for so long that actually thought they were better than the other firms. Recruiting felt like trying to get into the rich girl sorority.

        The dwindling number of great business people you reference was the aa class of ’01. The last class.

        Everybody else knows that your major greedy fuck up actually increased business for every other firm, both from existing clientele and the new ones who came knocking. So in a roundabout way, yes aa did push the profession forward. $$

        But yes, the cough cough is pretty old. I’ll give you that.

      • Big4Veteran

        I remember Arthur Andersen. It was a bunch of overconfident, pretentious douchebags. They literally thought they were God’s gift to the accounting profession and the other firms were inferior. But some of them, I imagine, were good people.

        Andersen deserved to die. It needed to die. There were a lot of innocent people (non-partners) there who were affected, but they mostly landed on their feet (at other firms).

        • $gross_prophet$

          Bunch of overconfidnent, pretentious douchebags, that sounds like Deloitte

          • guest

            Yeah. A lot of those Andersen people landed at Deloitte, and were sure to let it be known that they were doing Deloitte a favor in their time of need.

        • Point and Clique

          “But some of them, I imagine, were good people.”

          That phrasing has to be intentional.