5 (Other) Embarrassing Cyber Consulting Firm Breaches
It might be fashionable to heap scorn on the cybersecurity consultants at Deloitte for being unable to protect their own firm from a pretty gawd-awful breach. After all, the breach that came to light last week showed that the firm was picked off by attackers due to some shaky internal practices—namely, failing to enable two-factor authentication on an administrator account on a cloud-hosted email platform. The resulting compromise gave attackers access to a system containing 5 million emails for as long as five months last year. According to The Guardian, which broke the news:
In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.”
Sounds bad, right? It is, but don’t go piling on Deloitte without remembering that they’re hardly the outliers here. The truth is, Deloitte is just the latest in a long list of consulting firms with prominent cybersecurity practices that have been well and truly owned at some point in the last few years. These are just a few prominent examples:
FireEye/Mandiant
In fact, you only have to go as far back as last summer to find the first example. In July 2017, an anonymous Pastebin dumped sensitive information from cybersecurity consultancy Mandiant (part of FireEye) that came from a compromise of one of its senior analysts’ online accounts—including cloud email and storage accounts. Though FireEye followed up with an investigation and found that the attackers didn’t compromise its networks, they did manage to release internal corporate documents and customer information for two major customers. Not quite as pervasive as Deloitte, but a black eye nevertheless.
Booz Allen Hamilton
The Mandiant news came only a few months after another big incident at Booz Allen Hamilton. A big time defense contractor with plenty of tentacles in the cybersecurity world, the firm was called to account for storing highly classified intelligence data on a publicly accessible Amazon Web Services S3 storage bucket by security researcher Chris Vickery from the firm UpGuard. The data cache contained 60,000 files with absolutely no authentication in front of it whatsoever. Among the files were unencrypted passwords belonging to government contractors with Top Secret clearance. And this, of course, is just a punctuation mark for the fact that Booz was also the firm that enabled employee Edward Snowden to do his thing in 2013.
Verizon Enterprise
Known best for its well-loved annual Data Breach Investigation report, Verizon Enterprise in 2016 got a little taste of what it’s written plenty of case studies about when criminals managed to compromise a database containing sensitive information for some 1.5 million customers. When KrebsOnSecurity first broke the news of this doozy, the bad guys were trying to sell the information on the Dark Web for $100,000.
PwC
Like Deloitte, Booz Allen and HP Enterprise , PwC was named last year in Gartner’s top 10 list of cybersecurity consulting firms. And like those three, PwC has also suffered from a pretty serious breach of sensitive information in the last five years. This particular breach was the poster child for internal threats—two former employees teamed up with a journalist to leak corporate tax documents that cast shade on a number of prominent financial clients of the firm.
Lockheed Martin
The cyber jockeys at Lockheed Martin are well-known for cooking up the constantly cited Cyber Kill Chain. But such accolades still can’t erase the fact that this defense contractor couldn’t keep nation-state hackers from running away with the blueprints for the Joint Strike Fighter (JSF). When The Wall Street Journal broke the news in 2009 that foreign attackers managed to break into servers containing classified data with F-35 schematics, Pentagon officials and executives from Lockheed—which was the lead supplier for the project—denied up and down that the accounts weren’t true. Four years later and defense brass let slip that perhaps this breach was one of many against the high-tech military jet.
