JRB - Fotolia

Deloitte hack compromised sensitive emails, client data

News roundup: During the Deloitte hack, attackers had access to client data and internal email servers. Plus, the U.S. asks China not to enforce its Cybersecurity Law, and more.

Deloitte, one of the "big four" accounting and consultancy firms, has confirmed it exposed confidential emails and client data in a targeted attack.

Deloitte, which provides high-end cybersecurity consulting services, discovered the hack in March 2017, but attackers may have had access to the company's systems since October or November of 2016.

According to The Guardian, which broke the story of the Deloitte hack early this week, attackers were able to compromise Deloitte's email server through an administrator account that wasn't protected with two-factor authentication. Through this email server, The Guardian reported, the attacker likely had privileged, unrestricted access to all systems, including the Microsoft Azure cloud service that Deloitte uses to store the emails its staff sends and receives. In a statement on the incident, Deloitte confirmed attackers were able to "access data through an email platform" but didn't provide further details on additional systems or services that may have been affected.

Deloitte provides services to major companies across the globe, including banks, multinational corporations and government agencies. The company claimed that "very few clients were impacted" by the breach. According to The Guardian, only six of the organization's clients have been alerted that their information was compromised in the Deloitte hack. However, the hackers did potentially have access to usernames, passwords, IP addresses, health information and architectural diagrams for businesses.

The Deloitte hack focused primarily on U.S.-based operations and spurred an internal investigation that's lasted six months so far. The responsible parties have yet to be identified, though, and Deloitte hasn't released any specific details on how many clients were affected.

In other news

  • A bug in the most recent version of Internet Explorer exposes whatever is entered into the address bar -- such as website addresses or searches -- to hackers. Security researcher Manuel Caballero disclosed the flaw in a blog post this week. "When a script is executed inside an object-html tag, the location object will get confused and return the main location instead of its own," Caballero wrote. "To be precise, it will return the text written in the address bar so whatever the user types there will be accessible by the attacker." This means that whatever a targeted user types into the address bar can be viewed by a malicious actor. Caballero's proof of concept shows that malicious sites can view information the user assumed was private. He also expressed his concerns about Microsoft's handling of Internet Explorer. "In my opinion, Microsoft is trying to get rid of IE without saying it. It would be easier, more honest to simply tell users that their older browser is not being serviced like Edge," he said.
  • The United States has asked China not to enforce its Cybersecurity Law that was passed in November 2016 and went into effect in June this year. In a document submitted to the World Trade Organization, the U.S. said "China's measures would disrupt, deter, and in many cases, prohibit cross-border transfers of information that are routine in the ordinary course of business." The Cybersecurity Law states that any "network operators" in China, including any local or international firms that collect data, must store all user data within China. The U.S. argued in the document that "such a broad definition" of network operators "could have a negative impact on a wide range [of] foreign companies." It also raised concerns that "the measures, which pertain to 'important data' and 'personal information,' would severely restrict cross-border transfers unless a broad set of burdensome conditions are met." The U.S. noted some other concerns in the document and requested that China "refrain from issuing or implementing final measures until such concerns are addressed."
  • Oracle released out-of-band patches for the latest Apache Struts 2 vulnerability, tracked as CVE-2017-9805, a month before its scheduled quarterly Critical Patch Update. In its blog post announcing the availability of the patches, Oracle noted that a previous Apache Struts 2 vulnerability, left unpatched, was implicated in the "significant security incident" suffered by Equifax earlier this month. The patches were made available by the Apache Foundation for the popular web development framework on Sept. 5, but vendors like Oracle using the open source framework need to apply those patches to their own source code. "Oracle strongly recommends that customers apply the fixes contained in this Security Alert as soon as possible," wrote Eric Maurice, director of security assurance at Oracle. "Furthermore, Oracle reminds customers that they should keep up with security releases and should have applied the July 2017 Critical Patch Update (the most recent Critical Patch Update release)."

Next Steps

Learn why cyber attribution is important after a data breach

Listen to SearchSecurity editors discuss the fallout from the Equifax breach

Find out more about the data breach of the U.S. Securities and Exchange Commission

Dig Deeper on Data security and privacy