Weekly podcast: Deloitte and Equifax breaches

This week we discuss breaches at two huge organisations, and show why even the big guys still need to take care of basic information security practices.

Hello and welcome to the IT Governance podcast for Friday, 29 September 2017. Here are this week’s stories.

According to a Guardian exclusive on Monday, consultancy giant Deloitte discovered in March that its global email server had been compromised, perhaps as early as October 2016, giving criminal hackers access to emails, and “potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails [also] had attachments with sensitive security and design details.”

Deloitte confirmed the incident to the Guardian, but would not be drawn on how many of its clients were potentially affected, saying only that the “very few” that were “impacted” by the incident have been notified, as have government authorities and regulators. Deloitte also told the Guardian that there was “no disruption [to] client businesses, to Deloitte’s ability to continue to serve clients, or to consumers”. It hasn’t made a public statement. So far, so typical.

But here’s where it gets a little bit more interesting. In the first line of its report, the Guardian called the incident a “sophisticated hack”, but later in the same report reveals that it was in fact no such thing: a poorly secured admin account was to blame for the intrusion. Perhaps spurred on by this information, others have done a bit of digging.

In an article entitled “Deloitte is a sitting duck”, the Register reports that, “On Tuesday, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository.” They’ve now been removed.

“In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months” – and has now been removed.

This is but the tip of the iceberg. According to the Register, Deloitte also “has loads of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled”, and other researchers have used Shodan – the search engine that indexes Internet-connected devices such as servers and routers – to find plenty more stuff accessible online.

Deloitte is a huge organisation with a corresponding reputation. It had a reported $37 billion in revenue last year. In June, it was named the world’s best IT security consultancy by Gartner for the fifth year in a row, and last November was named a global leader in security operations consulting by ALM Intelligence. It understands that “Organisations can only improve their cyber resilience by encouraging a more proactive data security mindset and creating a culture of security”.

Schadenfreude is, of course, ungenerous, but, hearing about this incident, it’s difficult not to raise a sardonic eyebrow at the very least.

Still, the Deloitte incident is entirely overshadowed by the recent incident at Equifax, which saw the information of 143 million US customers compromised, again apparently as a result of a company failing to apply basic security measures.

This week, Equifax announced the ‘retirement’ of CEO Richard Smith – the third senior executive to ‘retire’ since the breach was reported in early September. CIO David Webb and CISO Susan Maudlin have already left the company.

Mark Feidler will take over as non-executive chairman, and Paulino do Rego Barros, who currently runs the company’s Asia-Pacific division, will serve as interim CEO while the board searches for a permanent replacement.

According to the Financial Times, “Shares in Equifax, down more than a quarter since the disclosure of the data-breach earlier this month, were halted for trading ahead of the news”.

Still, these “leadership changes” are the least of Equifax’s worries. Among other agencies, the FBI, the Federal Trade Commission and the Securities and Exchange Commission are investigating, and several state attorneys general have filed lawsuits against the company. Oh, and the US Department of Justice has launched a criminal investigation into alleged insider trading after three top executives – John Gamble, Rodolfo Ploder and Joseph Loughran – sold almost $2 million worth of Equifax stock shortly before the breach was made public, apparently with no knowledge of the incident.

Bet they wish they’d applied that Apache Struts patch now.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.