Cyber Incident Victim: Deloitte
Date:
Oct 2016
Location:
United States of America
Summary
A major cybersecurity breach targeted one of the world's largest accounting firms, compromising its global email server via an administrator account lacking two-factor authentication. The attackers gained prolonged unauthorized access to sensitive client communications, potentially exposing emails, usernames, passwords, IP addresses, business diagrams, and health information across multiple sectors including banking, government, and pharmaceuticals. While the firm confirmed only a small fraction of its estimated 5 million cloud-stored emails were affected and notified six impacted clients, the incident prompted an extensive internal investigation involving cybersecurity experts and external legal counsel to assess the intrusion's scope and mitigate fallout. The breach response included notifying governmental authorities and reinforcing security protocols, though the firm maintained no client business disruptions occurred.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Deloitte, one of the world's largest accounting and professional services firms, experienced a significant cybersecurity breach that began around October or November 2016 and remained undetected until March 2017. The attackers gained unauthorized access to Deloitte's global email server by compromising an administrator's account that lacked two-step verification, requiring only a single password for authentication. This privileged account provided unrestricted access to Deloitte's Microsoft Azure-based email system, which stored correspondence for all 244,000 employees. The breach exposed confidential client communications, including sensitive attachments containing security details, architectural diagrams, health information, usernames, passwords, and IP addresses. While Deloitte maintained the attack primarily affected US operations, impacted clients spanned multiple sectors including banking, pharmaceuticals, media, government agencies, and multinational corporations.
Upon discovery in March 2017, Deloitte initiated an internal investigation codenamed "Windham," mobilizing cybersecurity experts and confidentiality specialists from within and outside the organization. Forensic analysts based in Rosslyn, Virginia spent six months analyzing the electronic trail of hacker activity within compromised systems. The company notified six clients their information was directly impacted, though the full scope involved potential access to an estimated 5 million emails across the Azure cloud environment. Deloitte retained Washington law firm Hogan Lovells in April 2017 to address legal implications and regulatory notifications, while deliberately limiting internal knowledge of the breach to senior partners and legal counsel. The investigation confirmed attackers accessed only a small fraction of the total email repository according to Deloitte, though independent reports suggested broader exposure. Despite the compromise of sensitive client data, Deloitte stated no business disruption occurred for clients or its own operations. The firm implemented enhanced security protocols but declined to specify which government authorities were notified or whether law enforcement agencies were involved. The origin of the attack—whether state-sponsored, corporate espionage, or individual actors—remained undetermined at the conclusion of the disclosed investigation period.