Deloitte.

Bascar/Shutterstock.com

The hack represents a breach of Deloitte’s ‘crown jewels,’ experts say, and large financial organizations and multinational corporations are likely among those affected.

“Big Four” professional services firm Deloitte yesterday disclosed that hackers had successfully breached the organization’s email system last fall and may have had access to its emails up until the breach was discovered in March of this year.

Deloitte did not respond to requests for comment, but confirmed the cyberattack to reporters forThe Guardian and Gizmodo. In statements provided to each of these publications, Deloitte said that “very few” clients had been “impacted,” though it did not disclose the depth of said impacts, and that each client had been notified. Deloitte additionally noted that it had contacted both government authorities and regulators and had retained law firm Hogan Lovells to review the incident.

Jon Neiditz, partner at Kilpatrick Townsend & Stockton and co-leader of Kilpatrick’s cybersecurity, privacy and data governance practice, noted that Deloitte’s admission that hackers had specifically breached its email system reflects a breach of its “crown jewels,” or its most valuable asset.

Larry Ponemon, founder of privacy and security research group The Ponemon Institute, added, “For the most part, professional services firms deal in confidential information. The whole nature of the organization is to protect the intellectual property of the organization.”

“Emails are very rich in information because that’s how we communicate,” Ponemon elaborated. For professional services organizations, which traffic in sensitive data for many of their clients, emails can offer information potentially more valuable to hackers than large volumes of personal information, especially for nation-state or activist cyberattackers who are less driven by profit.

Given Deloitte’s prominent accountancy practice, large financial organizations and multinational corporations are likely to have been among those affected by the breach. Given the close working relationships between professional services groups and the legal industry, Ponemon said that law firms may too be among those impacted by the breach.

“When you do professional services as an accountant or a consultant, you’re working hand and glove with law firms. Not just any old law firms, but the most prestigious firms,” Ponemon said.

Deloitte is certainly not the first organization to have its email system hacked. Hackers accessed sensitive and occasionally compromising emails from executives at Sony Pictures Entertainment in 2014 and posted them online. “I could see something like that happening, and the consequences would just be devastating,” Ponemon said of a potentially comparable situation at Deloitte.

The Deloitte hack is also notable because of the organization’s prominent cybersecurity advisory practice, which helps other large organizations avoid cyberattack. Deloitte last year also released a report finding growing anxiety among companies around intellectual property theft.

Initial reports of the data breach noted that the Deloitte account hacked lacked two-factor authentication, a fairly common security standard that requires users to authenticate their identity across two different mediums. Although some reports were quick to criticize Deloitte for this failure, Neiditz said it has yet to be determined whether this particular security standard was the cause of the breach.

“There are a lot of those things that are best practices, but it’s not necessarily that focusing on one best practice is the best lesson learned, because then you miss all the other best practices,” Neiditz said.

Email encryption is another such tactic, but that too may be somewhat uneven in its application. Even when companies are required by policy to encrypt or attempt to encrypt email, Ponemon added that encryption standards are rarely followed comprehensively. They often leave various elements of an email, from attachments to sender identities, unencrypted.

Ponemon, drawing from his experience as former director of professional services group KPMG’s Business Ethics Institute, additionally pointed to the organizational hierarchy of professional services firms as a potential risk factor for cyberattacks. “These organizations are not like your typical corporation where you have centralized command and control. Every person in the firm sees themselves as the CEO,” he said.

“When you tell them they have to change their security hygiene, they get angry at you,” said Ponemon of many professional services executives. Under this model, one individual who decides he or she is not interested in applying security policy is all it takes to enable a successful data breach.

Unlike the highly-publicized data breach at Equifax earlier this month, Deloitte’s hack likely did not trigger any state data breach notification laws. Nearly all state data breach notification laws are prompted by compromises to consumers’ personal identifying information, while data breaches affecting company data, even when they may impact consumers in other ways, aren’t generally covered by state or federal policy (although New York’s recent policy change for financial institutions may be a notable exception).

Neiditz explained that data breach notification laws largely seem to be modeled after California’s initial data breach laws, which were proposed in 2002. “In 2002, people believed you could keep bad people out of your systems. Now the assumption is there are bad things living in your systems; you can’t necessarily keep them out in the same way,” he said.

In addition, Neiditz pointed out that while there are SEC disclosure requirements for public companies, Deloitte’s data breach may not fall into this bracket.

The Deloitte breach could prompt regulators to shift their definitions of data breaches to include other kinds of sensitive organizational data and communications, but Ponemon noted that the optics around the issue don’t exactly facilitate popular support. “It looks like you’re protecting companies,” he explained.

Neiditz is a little more hopeful about potential regulatory change. “There are signs of new regulatory approaches that may go after these things,” he said.