Citing anonymous sources, The Guardian reported Oct. 10 that the hack was more widespread than Deloitte is letting on, and that the company isn’t yet sure of what the attackers gained access to. Deloitte denied the story, calling it “speculative and inaccurate.”
“We dispute in the strongest terms that Deloitte is ‘downplaying’ the breach,” Deloitte spokesperson Jonathan Gandal wrote in an email to Government Technology. “We take any attack on our systems very seriously. We are confident that we know what information was targeted and what the hacker actually did. Very few clients were impacted, although we want to stress that even when one client is impacted, that is one client too many. We have concluded that the attacker is no longer in Deloitte's systems and haven't seen any signs of any subsequent activities. Our review determined what the hacker actually did, and it did not show that material ‘disappeared’ into a server in London.”
Gandal did not respond to requests to define how Deloitte is using the term “impacted.” The company has put up a fact sheet on its website asserting that its review of the incident has been completed and that “very few” clients were impacted.
The document says that the hackers gained access to a cloud-based email server, and that the company was in the midst of rolling out multi-factor authentication at the time of the incident. It has since completed the implementation.
It also says the hackers' motive was likely to steal active credentials.
The New York attorney general is also looking into the breach, according to the Wall Street Journal.
Deloitte has a wide-ranging technology consultancy business that has seen it work with federal, state and local governments on IT systems and cybersecurity across the U.S.