Cybersecurity Alert: Deloitte Reports Data Breach

September 26, 2017

Threat Summary

On September 25, Deloitte confirmed a published news report that it had experienced a “cyber incident.” In a statement, Deloitte said that an attacker had accessed client email from an email platform, impacting what the firm described as “very few clients.” The firm said that it had initiated an “intensive and thorough” review, and had contacted both governmental authorities as well as the “very few” affected clients about the event. “No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers,” the firm said.

Deloitte’s statement, which did not provide details of the timing, scope, or nature of the breach, apparently was issued in response to an article published earlier that same day by the Guardian, a leading UK newspaper. According to the news article, the Deloitte hacker gained access to the firm’s email server through an administrative account that “in theory” provided unrestricted access to data. Citing unnamed sources, the Guardian reported that the account only required a single password, and was not protected by two-factor authentication. The Guardian claimed that the attack was detected in March 2017 but could have started as early as October 2016.

In the coming days, we expect more details to emerge – and more speculation to continue – about this high-profile incident. Notably, the attack on Deloitte is the third major breach reported in as many weeks, following the Equifax breach, which exposed the personal data of 143 million individuals, and the SEC breach, which may have exposed material non-public information to potential insider traders.

For more information, see:

ACA Aponix Guidance

For business enterprise protections, ACA Aponix recommends taking the following measures:

  • If your data was exposed, you may be obligated to inform your clients. Consult a privacy attorney for guidance.
  • Consider asking Deloitte (and other third-party vendors) to take down your clients' data hosted on their file transfer web portals to reduce future exposure.

For personal protections, ACA Aponix recommends placing a security freeze on your credit files with each of the three major credit bureaus.

In light of the recent breaches, ACA Aponix recommends that you:

  • Leverage multi-factor authentication for remote login to prevent unauthorized use of stolen credentials
  • Create a plan for incident response and computer forensics in the event of an attack
  • Ensure administrative accounts within your firm have appropriate access controls and reviews

If you have any questions, please contact your ACA Aponix consultant or email us at