Security Consultant Deloitte Suffers Major Hack

Blockchain, Crime, FinTech, News | September 26, 2017 By:

Global accounting firm Deloitte, one of the biggest blockchain and security consultants in the world, has suffered a hack that compromised sensitive information, including health records.

The UK newspaper The Guardian was the first to report the security intrusion at the billion-dollar firm, which is heavily into intial coin offerings and blockchain development for some of the world’s largest banks, pharmaceutical companies and other multinational firms. Some US government information may also have been compromised, the Guardian reported. Deloitte is headquartered in New York.

Deloitte is still reviewing the extent of the damage, but has notified at least six clients. The hack was discovered in March, but may have been initiated as far back as October, 2016. The hack occurred through an administrator account that allowed access to all areas of the Deloitte database, including emails, usernames, passwords, IP addresses, architectural diagrams for businesses, and health information.

Responding to questions from the Guardian, Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been “impacted.” The firm declined to elaborate further, but noted, “In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilizing a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman said.

One security expert noted the long gap between discovery and disclosure.  “Knowing and disclosing are two different things,” said Roderick Jones, the head of the Rubica security firm.  “The rules around when cyber breaches have to be disclosed are still forming in the USA and remain a patchwork of state rules giving companies significant leeway in when they report incidents have occurred.”

By contrast, Jones said, the new GDPR (General Data Protection Regulation) that is due to come into effect within the EU in 2018 requires companies to disclose a breach 72 hours after they become aware of the breach. “Given the global nature of companies such as Deloitte, it seems likely they will have to adopt this standard globally to ensure they don’t run afoul of EU regulations.”