Deloitte Reports Cyberattack on Monday
Ian Fleming, author of the legendary James Bond series, once observed (speaking through the character Auric Goldfinger): “Once is happenstance. Twice is coincidence. The third time, it’s enemy action.”
A disturbing pattern may be emerging with Monday’s news of yet another high-profile data breach directed towards America’s financial backbone. Over the preceding three weeks, Equifax (one of the three major consumer credit reporting bureaus) and the Securities and Exchange Commission (charged with overseeing and regulating America’s securities markets) both disclosed extremely effective cyberattacks that led to data breaches.
Largest of Big Four Accounting Firms Reports Cyberattack
The largest of the “Big Four” accounting firms, Deloitte, reported that it experienced a cyberattack on Monday. As reported by the Guardian, Deloitte apparently discovered the breach in March of this year, but the hackers may have gained access as early as October or November of 2016.
In describing the breach, Deloitte indicated that the attackers were able to utilize an administrator account to access Deloitte’s global corporate email system, which was hosted via Microsoft’s Azure cloud service. Reportedly, the administrator account that was compromised did not require two-factor authentication to log in. Two-factor authentication is a commonly-employed security feature that is utilized and encouraged by virtually all large technology companies, such as Gmail and Facebook.
With access to the global email server, hackers potentially had access to extremely sensitive information about Deloitte’s clients, many of whom include blue-chip companies in the US, UK, and India. However, Deloitte maintains that the number of clients actually impacted is minimal.
Deloitte’s Reputation for Cybersecurity was Phenomenal
Deloitte is incorporated in the United Kingdom. The UK has steadily taken steps to improve its cybersecurity posture since it enacted the 2011 UK Cyber Security Strategy. Combined with regulatory pressure from the European Union, the UK Government has been extremely proactive in addressing the economic national security challenges posed by cyberattacks. In June 2014, the UK implemented its Cyber Essentials program. The Cyber Essentials program allows companies to become self-certified by completing a self-assessment of the company’s basic information security practices. Companies can also obtain a Cyber Essentials PLUS certification by undergoing an independent, third-party information security evaluation, which is more thorough.
In 2012, Deloitte was recognized by Gartner as being the number one cybersecurity consulting firm in the world by revenue. Deloitte obtained a Cyber Essentials certification in 2014. Since 2015, Deloitte has held a Cyber Essentials PLUS certification through the UK Government approved accreditation body, CREST. In other words, Deloitte’s reputation for cybersecurity was stellar.
The Similarities Between the Three Attacks
What stands out about all three attacks? Each attack’s goal was not to cause disruption (like a distributed denial of service attack) or damage with a small chance of financial gain (like a ransomware attack), but rather to obtain truly valuable information that could generate large profits.
I find no coincidence in these specific targets. Potential test filings were obtained from the SEC, which could be used to trade on insider information. Emails belonging to the largest accounting firm in the world — one that prepares SEC regulatory filings and is in the business of storing and interpreting confidential financial information — were potentially compromised. The emails could paint a more comprehensive picture of publicly-traded companies’ financial status, and even provide fresher sources of insider information. All while countless Americans’ private information was surreptitiously gained from Equifax – the very same information that would be needed to set up false bank accounts and securities accounts.
What Could Happen Next?
Beginning in November 2016, comprehensive economic sanctions packages have been imposed on North Korea, the more recent of which could effectively cripple North Korea’s already fragile export economy. With its sources of trading revenue eviscerated, how else might a country with a dedicated cyberwarfare unit seek to obtain new income? Perhaps, by establishing dummy accounts in the names of Americans (using stolen data from Equifax) and using those accounts to trade on insider information (obtained by the SEC and Deloitte) to generate significant earnings. (Of course, getting the money out of the country would be more difficult.)
Then again, attribution is extremely difficult in the realm of cybersecurity. After all, it could just be some guy in his basement. If it’s not, let’s just hope that news of a fourth cyberattack does not break in the coming months. If Deloitte is in fact the “third time,” then the “fourth time” might very well serve as casus belli — a case for cyber war.
Mr. Haut focuses on litigation relating to commercial litigation, cybersecurity, and privacy law matters. In his final year of law school, Mr. Haut served on the Sherman Minton Moot Court Executive Board, where he helped draft the Moot Court competition problem — exploring issues relating to government searches of electronic devices, cybercrime, and sentencing reform.