Deloitte is one of the biggest professional services companies in the world based on both revenue ($38.8 billion in 2017) and number of professionals (over 263,000). It provides audit, tax, management consulting, financial advisory services, and cybersecurity guidance to over 85 percent of the Fortune 500 companies and more than 6,000 private and middle market companies around the world. Its global headquarters is in New York.

In April 2017, the company discovered that its global email server had been hacked starting six months earlier. The hackers gained access to the system through an administrative account that granted them privileged, unrestricted access to all areas. Apparently, the account required just a single password and did not have two-step verification.

Deloitte offers its clients advice on how to manage the risks posed by sophisticated cyberattacks. It also operates a CyberIntelligence Center to provide clients with around-the-clock business focused operational security. In 2012, Deloitte was ranked the best cybersecurity consultant in the world. The firm earns a portion of its $12 billion a year in consulting fees from these services. The breach was a deep embarrassment for the firm.

The use of email is interwoven into the operational fabric of the modern organization and is used to communicate all sorts of sensitive information—new product plans, marketing strategies, merger and acquisition tactics, product designs, patent data, copyrighted material, and trade secrets. The server that was breached contained the emails of some 350 clients including the U. S. State Department, Department of Homeland Security, Department of Defense, Energy Department, and the U. S. Postal Service. Also compromised were the emails of the United Nations, National Institute of Health, and housing giants Fannie Mae and Freddie Mac, plus some of the world’s biggest multinationals. In addition to emails, the hackers had potential access to usernames, passwords, and IP addresses.

Initially Deloitte kept the breach secret electing to inform only a handful of senior partners, six clients the firm knew to have been directly impacted by the attack, and lawyers at international law firm Hogan Lovells. The Washington- based firm was retained to provide legal advice and assistance about the potential fallout from the hack.

Deloitte formed a team consisting of security analysts and experts from both within and outside the firm to conduct a formal inquiry to the breach. The goals were to understand how this happened, assess the scope of the incident, determine what the attacker targeted, evaluate the potential impact to clients, and determine the appropriate cyber-security response. After six months elapsed time, the team determined that the attacker was no longer in the email system, ascertained that there had been no business disruption to any of its clients, and recommended additional steps to enhance Deloitte’s overall security. The team was unable to determine whether a lone wolf, business rivals, or state-sponsored hackers were responsible.

The attack illustrates that any organization can fall prey to a cyberattack—even those whose specialty is to stop them.

Critical Thinking Questions

1. Identify what you believe to be the area of most severe consequences for Deloitte—direct impact, business disruption, recovery, legal, or reputation. Justify your response.
2. How would you evaluate Deloitte’s response to this cyberattack? What did they do well? Where could they have done better?
3. Identify the three highest priority changes that need to be made to the Deloitte security program.