By Shatavisha Chakravorty
In today’s era of technological advancement, almost all our needs (financial or otherwise) are dealt with digitally. In such a scenario, our greatest threat is not from thieves and robbers. It is cyber intruders who must be feared. The gravity of this statement was reiterated to us following the recent cyber-attack on Deloitte, one of the largest global accounting firms.
One of the ‘Big Four’ companies in the corporate world, Deloitte provides auditing services, tax consultancy and financial risk advice to some of the world’s biggest companies. Registered in London, the company has its headquarters in New York.
With a global presence in hundreds of countries, its client base includes both MNCs as well as government agencies. One of the largest private firms in the US, last year Deloitte reported record revenue of $37 billion. It is ironical to note that a firm which has made a mark for itself in the world of cyber security consulting is today struggling with cyber security.
In the month of March, the accounting giant discovered that confidential data pertaining to six of its major US clients was being accessed by some unauthorised personnel. On further inspection it was found that the hackers had access to the data since last fall (October-November 2016).The lost data included passwords, e-mails and other confidential data. The fact that all the security breaches were US specific raises many questions.
Hackers managed to gain access to the company’s email server through an administrator account that was not secured using two factor authentications. This granted him or her unrestricted access to Deloitte’s Microsoft hosted mailboxes. Once that was achieved, the hackers had complete access to usernames, passwords and IP addresses. They also had potential access to architectural diagrams for business and health information.
The official figures for how much of these data have been used (or rather misused) have not yet been declared. The company has not released the hard numbers or indicated whether the attack affected individuals. However the manner in which the entire process was executed shows that there was a lot of meticulous planning involved. Speculation within the cyber world has theorised that the attacks were focused on corporate clients and not on individual clients. However, this is just a speculation and its reliability has not been confirmed by official sources.
Till date, no individual or company has taken up responsibility for the attack. Thus it is yet to be established if it was a lone wolf, business rivals or state sponsored hackers who were responsible for this massive attack. However the fact that the attack appeared to target email systems to gain access to client information (possibly corporate client information) suggests that the hackers were cyber criminals looking to steal data that could be sold.
It is interesting to note that Deloitte is not the first high profile company to be targeted by cyber criminals. A couple of weeks ago, Equifax revealed that confidential data belonging to 140 million customers have been compromised in a security breach. For those of you unaware of the firm, it is one of the world’s largest credit checking companies. Hence this breach is one of the largest data breaches in history, with up to 400,000 bitcoins stolen in the hack. Each of the bitcoins is believed to have stored personal information of the clients.
The lesson that the Equifax attack was supposed to teach the corporate world was finally learnt following the Deloitte attack. The firm set up a team of dedicated and highly qualified cyber experts who were responsible for everything concerning this matter. Once this team was mobilised, an intensive and through review was initiated. With Deloitte coming up with new comprehensive security protocols, other corporates are also taking a note of it to ensure such a thing does not happen to their firms. If such stringent measures are adopted on a large scale, very soon cyber-crime will become a thing of the past.
(The author is a Bengaluru-based
technical content writer)