Deloitte Breach: A Lesson in Privileged Account Management

Another day, another major data breach uncovered at a high-profile company. Deloitte has recently announced that malicious outsiders infiltrated their email database and gained access to everything it contained, including confidential emails, attachments, IP addresses, login information, and more.

Since Deloitte is a leading accounting and consulting firm, this major data breach shocked the cyber community, especially as Deloitte was just ranked #1 by Gartner for security consulting for the 5th consecutive year (based on revenue).

The Deloitte breach allowed malicious outsiders to access confidential emails and other data of hundreds of high-profile companies.

Deloitte Breach: What We Know

How did it happen?

The Deloitte breach occurred in the fall of 2016 and  was discovered by Deloitte in March of 2017.    During this time, Deloitte had been migrating from  their old email software to Office 365 and did not  have their now standard two-factor authentication  in place for email login.

Based on initial investigations they determined that hackers had infiltrated their email program by gaining access to an administrator account. This privileged account gave the hackers access to everything within the software, including the content within emails, attachments, login data, and more.

Hackers were able to gain complete access to Deloitte’s entire email system, including attachments, IP addresses, and login information by infiltrating an administrative account.

When the news of the breach first broke, Deloitte claimed only six clients were impacted, but this number quickly escalated to about 350 clients. Since there was no tracking or record of what the hackers did within the system, there was no way to know what information was accessed or taken from the system. In addition, since Deloitte was transitioning between email systems at the time, any type of complete forensic investigation was basically impossible. Although the breach is now contained, having access to this much confidential data makes it easier for hackers to craft detailed spear phishing emails to get employees and other individuals to divulge even more information.

Who was impacted?

One of the major issues with this breach is how many high-profile clients Deloitte has. Although not every company breached has been named, some of the organizations that may have had confidential information viewed or stolen include:

·       US Department of Defense · Fédération International de Football Association (FIFA)
·       US State Department ·       Global Banks
·       US Department of Energy ·       Global Airlines
·       US Department of Homeland Security ·       Car Manufacturers
·       National Institutes of Health ·       Energy Companies
·       US Postal Service ·       Pharmaceutical Manufacturers
·       United Nations

Why was Deloitte targeted?

We all know that data breaches happen all the time, but it seems like attacks on larger companies are becoming more common. Hackers are simply following the money. On the dark web, confidential information can be sold for major profit. A huge company like Deloitte also has access to the type of confidential information that could impact major business decisions and be used for insider trading.

The confidential information that was left vulnerable due to this breach could be sold for profit on the dark web or used for insider trading.

What’s more? All the information that was taken during this attack–which again we don’t even know the extent–makes every future attack easier. Hackers can tailor strategic spear phishing emails to employees at Deloitte or to employees at any of the impacted companies. If the hackers know exactly what to say, employees could potentially reveal even more information.

It All Could Have Been Prevented

If Deloitte had the proper security infrastructure in place, this entire breach could have been prevented. The root of the entire breach was not having control or visibility over the administrative email account, which was a privileged account. Since this account had all the permissions necessary to access everything, the users could access whatever data they wanted, whenever they wanted, and then cover up the evidence. Deloitte should have had a privileged account management system in place.

Privileged account management could have prevented the Deloitte breach.

Privileged Account Management with WALLIX

The WALLIX Bastion provides organizations with privileged account management (also known as “privileged access management” or PAM) solution to prevent breaches of this magnitude. It includes all the tools organizations need to have complete control and visibility over all users within an organization, including privileged users. Although administrative accounts are still used, no commands, deletions, or actions can be completed without being recorded.

This type of technology would have allowed Deloitte to have a better picture of exactly what information was accessed and tampered with during this breach and hackers would have been unable to cover up their tracks. In addition, even if hackers had been able to infiltrate the system, security teams would have been alerted by multiple alarms and the breach would have been fixed within hours – instead of months.

Privileged access management would have alerted security teams of suspicious activity as it was occurring and would have allowed them to stop the breach in its tracks in a matter of hours – instead of months.

A typical privileged account management solution includes a password manageraccess manager, and session manager, all of which work together to keep your critical data and systems protected from malicious outsiders and insiders.  WALLIX PAM creates complete and unalterable audit trails which make it easy for security teams to understand everything that occurs within a system, and makes it easier to meet compliance regulations.

The WALLIX Bastion allows an organization to:

  • Monitor all activity in real-time
  • Record all sessions for later review and search (using optical character recognition technology)
  • Protect privileged accounts from unauthorized use
  • Prevent the escalation of privileges
  • Meet compliance regulations
  • Keep root passwords hidden from users in an encrypted vault
  • Enforce password policies
  • Monitor access of every user
  • Alert security teams of potential vulnerabilities or breaches-in-progress

Privileged account management gives organizations complete visibility and control over their critical data and systems.

Deloitte Breach: Don’t Let It Happen to Your Organization

Using a privileged account management solution is the best way to improve security throughout your organization and prevent major data breaches like this from happening. It allows you to have complete control and visibility over everything happening within your organization. Complete recordings and unalterable audit trails allow you to easily meet compliance regulations and can help organizations understand where their systems are vulnerable. Privileged account management is the solution all organizations need to keep hackers out and critical data secure.

Use the WALLIX Bastion to keep your organization protected against cyberattacks and data breaches.