August 18, 2018

Data Breach at Deloitte Hitting Too Close to Home for Accountants

data breach deloitte cyber attack data breach resize

My, my. So many data breaches to talk about, it’s hard to know where to start. Caleb has already been keeping you up to date with the latest on some of the recent hacks but let’s dig in a little more about one breach in particular.

Uh oh, Deloitte

We learn time, and time again, that big firms screw up (coughAndersencough) and that’s why we enjoy reading the PCAOB reports every year. No one really pays too much mind to the PCAOB audit findings outside the industry professionals  but when you start to herald “data breach” even the non-accountants’ ears perk up to listen, and that’s not a good thing.

One of our own, beloved Big 4 made data breach headlines at the end of September. It’s more than a little embarrassing for a cybersecurity consulting expert. When Caleb shared the news last week, he predicted that:

when a scandal hits a huge company, they play it down, only to discover a week or two later that the bad event was worse than they thought.

I’d say that’s proving accurate as time passes. The initial reports seem to have downplayed the incident, saying it only had impacted a handful of clients. While it may be too soon to know the full extent of the breach (heck, I’m sure Deloitte doesn’t know for certain), the internet gossip on the matter indicates it’s probably going to become appalling as time goes on.

For instance, this KrebsOnSecurity article references a firm-wide password reset request that went out last October that seems like too much of a coincidence. And his sources claim that Deloitte may not “know exactly how much total data was taken.” The article goes on:

The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

I can’t corroborate the claims made by this anonymous source, so it’s just internet gossip at this point. But, if there is even a shred of truth behind it, I’m interested to see if anyone has the guts to go on the record about it. I don’t think whistleblower rules apply on this one, unfortunately.

Standard foot-dragging

The fear of going public with these situations causes people to avoid ripping off the band-aid and tugging one hair out at a time instead. But, that’s not really unusual, just look at Yahoo, who after four years was finally willing to admit on Tuesday, according to Reuters, that “all 3 billion accounts were compromised in the 2013 breach.” Another prime example, Forbes says that Equifax sat on their breach information for over a month before spilling the beans.

Even our good-ol’ SEC didn’t want to tell people about vulnerabilities in the EDGAR system that caused hackers to get access to nonpublic information about issuers (although, I wouldn’t be surprised if the SEC actually didn’t know until this August.) Per the WSJ:

The SEC disclosed in September that EDGAR was hacked in 2016. The SEC didn’t realize until August that information gleaned from the intrusion may have allowed hackers to trade illegally, Mr. Clayton said last month.

Fair warning

In Deloitte’s case, it may stem from lax password controls such that “account access authentication [at Deloitte] simply required a single password and did not have a “two-step” verification.” Which again, is so elementary when it comes to internal control it even comes with a juice box.

But, hey, I did warn you this might happen (okay, maybe it was Verizon in their 2017 Data Breaches Investigations Report), but still, the prophecy that this would be the year of cyber espionage is coming to fruition. Does this ring a bell:

In sum, here are the recommendations for financial services firms… ‘Taunt them a second time—Use two-factor or multi-factor authentication…’

Those RSA tokens aren’t just for show, and they can’t always protect you if an administrator account is compromised.

But, at the end of the day, what’s the consequence for Deloitte? A PR nightmare and maybe some fines? A congressional hearing? Lost clients and revenue? I have a feeling, not much. And, while EY may get roped into the Equifax debacle over internal controls, who can we point to for Deloitte’s current mess? Who issues a SOC 2 over Deloitte’s systems? Anyone?

Image: Photo by William Iven on Unsplash

Related articles

Deloitte: Folding Like a Cheap Lawn Chair?

deloitte.jpgIs it possible that the spinelessness of the FASB is spreading some of the firms?
Motely Foley is reporting that MGM Mirage got the Big D to drop the going concern language from its “financial assessment” which we confirmed with the author, Bob Steyer, that indeed meant the audit opinion.
Doing a little digging on this whole sitch, we found that MGM has done some duct tape repairs to its balance sheet in order to convince its banks and Big D that nothing is fucked.
Deloitte, wanting to be troopers and all, probably just had to step back from the whole thing to get perspective. “Yeah, when you look at it from back here, $14.4 Billion in debt doesn’t really look that bad.”

MGM Back From the Brink — for Now
[Motley Fool]

Deloitte May Be the #1 Firm of No Fun

heelys.jpgRegardless of who a client is or what their business is, accounting firms don’t like to lose them. Lost revenue, a little bit of a slap in the face, a promise that wasn’t delivered (which, let’s be honest, really isn’t all that rare).
For whatever reason, we find the story that Heelys, the skate shoe company, having fired Deloitte as their auditor, has to be an especially tough pill to swallow for the Big D.
Why, you may ask? How about the fact that Heelys MAKES SHOES THAT HAVE WHEELS ON THEM which might be something fun.
According to Reuters, Heelys gave Deloitte-period the heave-ho primarily because of cost considerations. That may be true but something tells us that the real reason might have been Deloitte putting the kibosh on Heelys request of the audit team to wear the skate shoes while working at the client’s HQ.
Deloitte, like all Big 4 firms, being the fun killer, likely argued that skate shoes did fall under acceptable attire in its dress code.
It was probably only a matter of time until the Heelys audit committee concluded that they had to find another audit firm with smaller sticks up their asses. Partners on the engagement are now quietly stewing with their decision that may have put their firm solidly in the #1 slot for hating all things fun.

Heelys dismisses accounting firm
[Reuters]