Cyber Incident Victim: Deloitte

On or around May 30, 2023, the Clop ransomware gang listed the professional services firm Deloitte on its data leak site, also referred to as its "wall of shame" victim blog. In its public disclosure, Clop claimed that "the company doesn’t care about its customers" and that it "ignored their security." This listing occurred amidst a widespread exploitation campaign targeting a zero-day vulnerability in the MOVEit secure file transfer software, which Clop had been conducting. Deloitte was the third of the 'Big Four' accounting and consulting firms to appear on Clop's site, following similar listings for PricewaterhouseCoopers (PwC) and EY.

In immediate response to becoming aware of the zero-day vulnerability in MOVEit, Deloitte applied the security updates provided by the software vendor, Progress Software. The firm also performed mitigating actions strictly in accordance with the vendor’s published guidance. Following these initial containment steps, Deloitte commenced an investigation into the potential impact of the vulnerability on its systems. This investigation involved an analysis of the firm's global network usage of the vulnerable MOVEit Transfer software.

The outcome of Deloitte's internal analysis determined that its global network use of the vulnerable software was "limited." Based on this forensic review, a company spokesperson stated that they had "seen no evidence of impact to client data." Deloitte publicly refuted Clop's claims, denying that a breach impacting client data had occurred. The firm’s statement was a direct response to speculation and concerns sparked by its appearance on the ransomware group's leak site. At the time of the reports, Deloitte's dedicated page on Clop's website did not feature any download links for allegedly stolen files, which differed from the listings of other confirmed victims like PwC and EY.

The incident involving Deloitte was part of a much larger global cybersecurity event centered on the MOVEit software. The Clop ransomware gang exploited a zero-day vulnerability in the widely used file transfer tool, leading to a mass compromise of organizations. Security researchers at Microsoft identified Clop as the group behind the attack. By the end of May 2023, the number of affected organizations globally had risen to at least 514 according to experts at cybersecurity firm Emsisoft, with victims spanning numerous industries including education, healthcare, finance, and government services.

Other major organizations were confirmed victims of the same MOVEit attack campaign. The US government services contractor Maximus confirmed in a regulatory filing that the information of up to 10 million individuals may have been accessed by the hackers. The company noted that the impacted files contained personal information, including Social Security numbers and protected health information, pertaining to individuals participating in various government programs such as Medicaid, Medicare, and CHIP. Gambling giant Flutter, which controls brands like FanDuel and PokerStars, also confirmed it was affected and that data was accessed, though it did not specify whether customer information was involved. Toyota Boshoku Corporation, a member of the Toyota Group, confirmed its European subsidiary's data was accessed. Pension Benefit Information, an organization that verifies beneficiary data for pension funds globally, was also officially added to Clop's list and confirmed it was affected, leading to breach disclosures from dozens of its client organizations.

The broader impact of the MOVEit campaign was significant, affecting hundreds of entities and potentially millions of individuals' personal data. Maximus estimated the incident would cost the company approximately $15 million and that its investigation would last several more weeks. The company committed to providing breach notifications to affected individuals and offering them free credit monitoring and identity restoration services. Deloitte's response focused on assuring clients and the public that their analysis had found no evidence of a compromise of client information, emphasizing the limited and mitigated use of the vulnerable software within its global network.