Touché Deloitte

You would have to have been hiding under a rock, on a distant planet or listening to death metal with your VR headset on, to have missed this week’s screaming headlines about a megahack at none other than Gartner’s ‘security consultancy of the year’, Deloitte.

Hot on the heels of the Equifax uber-blunder, you can feel the joy within the information security community to see a giant of the game taking a kicking. So what is it all about?

On Tuesday of this week (26/09/17) a number of VPN credentials for access to the Deloitte network were found on a public GitHub repository and furthermore a Deloitte employee appeared to have posted company proxy details onto Google+ for world+dog to see. Very messy. The GitHub stuff was taken down the same day, the Google+ stuff was copied widely to pastebin and the other usual suspects, but has also now been removed.

It would seem that in a strange coincidence, Deloitte has also seen sense regarding VPN access via its F5 devices and enabled and mandated two factor authentication, as we are sure all of you shall we say ‘curious’ types are well aware.

Off the back of this news, security researchers the world over went wild, looking for exposed Deloitte servers and gleefully publishing details of their finds to further put the boot into the big Old Firm. This El Reg article sums it up.

The question nobody is asking is that if this much scrutiny was applied to any massive corporation – would the outcome be similar?

As the dust began to settle, the more mature journalists, working for more mature organisations than self serving twitter posts etc., dug into the issue and discovered that indeed Deloitte did have a problem, but this was some time ago (probably before March 2017) and it has been dealt with. Investigation over. It appears that these recent leaks may be totally unrelated or at best collateral fallout.

There are two issues that need to be considered here. If you get hacked, how do you manage communications? It seems that trying to keep entirely schtum is never going to work, especially if you are a big old beast that demands openness, honesty and transparency from your clients and hasn’t made very many friends in a ‘let them eat cake’ sort of way.

Secondly, it is probably important for security reviewers, journalists and publishers to shy away from shrieking headlines until the facts are established. This of course will never happen.

As for Deloitte, they are big enough, old enough and definitely ugly enough to get through this, however even if it isn’t all true, there is no smoke without fire and damage has been done. We look forward to never knowing what actually happened. GDPR anyone?

If you would like to discuss breaches or any related Cyber issue, please contact us at: [email protected] or call 020 7517 3900.