Stolen password lets hackers into Deloitte’s systemsSecurEnvoy 28/09/2017 Industry News
If proof were needed of the importance of multi-factor authentication, then the recent experience of global consultancy Deloitte certainly delivers it.
As the Guardian newspaper revealed on September 24th, Deloitte has become the victim of a hacking attack that aimed (and succeeded) in revealing the secret details of its clients’ emails.
But far from being a fiendishly sophisticated assault on a well-defended organisation, the scam was achieved by knowing the password of a single system administrator. With that simple piece of information, the hackers were able to gain access to Deloitte’s email services and, according to some reports, extract several gigabytes of data containing the content and details of clients’ email messages and attachments.
According to the Guardian report, clients from a wide range of sectors, including US government departments, had material in the email system that was breached. So far, Deloitte has admitted that six of its clients have been informed that their information was “impacted” by the hack.
According to the same report, the hack may have started as early as October or November 2016, although it was not discovered until March this year. During that time, the hackers would have had free rein to access records on the system.
For such a key system to rely simply on user name and password for access is a fundamental failure of security, and one that could easily have been fixed by the addition of multi-factor authentication.
Apart from the damage that Deloitte’s own customers may have suffered as a result of the breach, the damage to Deloitte’s own reputation is incalculable. A company failing to implement something as fundamental as multi-factor authentication may find it hard for its clients to take its advice on security seriously from now on.
As all SecureEnvoy’s customers know, multi-factor authentication is easy to implement and manage, and at a stroke removes the fragile reliance on passwords for security. SecureEnvoys Tokenless ® technology gives maximum flexibility and ease of use, and can be rapidly introduced – thereby ensuring that a lost password no longer offers hackers an easy way into the system.