Deloitte didn’t know about clients’ personal data leak for several months

Very often problem I hear is that companies don’t ever know about the facts of hacker attacks and data leakages.

The Guardian announces the incident with one the biggest accountancy firms Deloitte.

Deloitte is international company headquarter in London, having business in most of the countries around the world, was attacked by hackers months ago.

27 April 2017, Deloitte hired the US law firm Hogan Lovells on “special assignment” to review what it called “a possible cybersecurity incident. However sources of The Guardian believe hacking attack happened time earlier — October-November 2016.

Due to the attack, emails of employees of minimum six Deloitte’s clients are noticed to be impacted.

Firm’s global email server was compromised by hackers, and they received access to «administrator» account. In theory, this might cause full access to all users’ business and personal conversations by mail with staff of the company. Additionally to emails hackers had potential access to usernames, passwords, IP addresses, health information, architectural diagrams for businesses.

Deloitte store their mail server with 244 thousands of staff accounts in Microsoft Azure cloud infrastructure. Internally the investigation of the attack receives name “Windham”, as noted by Guardian, and security specialists are trying to understand which data was stolen due to the attack.

As the current results of investigations say, the attack was linked with Rosslyn, Virginia office, where most of the compromised data are detected. Most probably only US data are affected by this attack.

Officially Deloitte confirms the fact of hacker attack, however says that only small number of emails have been impacted. The authority says that exact number of emails compromised is declined to elaborate.

According to new european law GDPR, starting 25 of May 2018, all the companies holding the EU Citizens personal data are obligated to inform affected users and Legal authorities about breach and data leaks in 72 hours.

If such incident happens after the date and in case of non-compliance, the company can be penalized for up to 2% of annual global revenue or 20M Euro. Some companies — up to 4%.

So, Deloitte and all the businesses working in Europe are to be ready for new laws, organize the processes respectively to comply with new standards of doing business.