Deloitte is disputing claims that a recently discovered hack on their server exposed the information of government agencies, as was reported Tuesday by The Guardian.
“We are confident that we know what information was targeted and what the hacker actually did. Very few clients ― none from the government ― were impacted,” Deloitte spokeswoman Megan Doern told Federal Times.
According to an anonymous source in the Guardian article, the breach impacted data from as many as 350 clients, which included the U.S. Departments of State, Energy, Homeland Security and Defense, as well as the U.S. Postal Service and the National Institutes of Health.
Deloitte, however, said that none of the clients they discovered to be impacted over the course of their investigation included government agencies.
“An attacker compromised account credentials and ultimately gained access to a single Deloitte cloud-based email platform,” Deloitte said in an official statement. “On discovering unauthorized access to the email platform, we initiated our standard and comprehensive incident response process, which included mobilizing a team of cybersecurity and confidentiality experts inside and outside of Deloitte (including Mandiant).”
According to the statement, the attacker focused on obtaining active credentials in a cloud-based email platform, and is no longer in the system. Deloitte manually combed through affected emails to determine the extent of the sensitive information exposed.
“By conducting this eyes-on review, we were able to determine the very few instances where there may have been active credentials, personal information or other sensitive information that had an impact on clients,” the statement said, elaborating that the company contacted both affected clients and government authorities.
However, anonymous sources told both the Guardian and KrebsOnSecurity that the hack was more widespread than Deloitte first acknowledged, and that the company could not possibly know the full amount of data that was taken when the hacker was in the system for approximately a year.
Deloitte, however, told Federal Times that they” dispute in the strongest terms that Deloitte is ‘downplaying’ the breach. We take any attack on our systems very seriously. We are confident that we know what information was targeted and what the hacker actually did. Very few clients were impacted, although we want to stress that even when one client is impacted, that is one client too many. We have concluded that the attacker is no longer in Deloitte’s systems and haven’t seen any signs of any subsequent activities. Our review determined what the hacker actually did, and it did not show that material ‘disappeared’ into a server in London.”