Deloitte Hack Demonstrates the Importance of Two-Factor Authentication

If you’re still trying to digest the dismaying details of the recent Equifax hack, here’s another one for you to worry about: Deloitte’s email hack. That’s right. One of the largest accountancy firms was the target of hackers who managed to get into Deloitte’s email server. Hackers love email, and this is a perfect example of the warnings we’ve been writing about for awhile now.

The Deloitte hack means that all kinds of personal details of the firm’s clients are now in the hands of cyber criminals, with passwords, IP addresses, and private business documents being some of the sensitive information the hackers might have. Keep in mind Deloitte’s clients include both major brands and government agencies, so there’s no telling how this email hack could affect the public.

And if you’re thinking it’s just been a bad few weeks for major businesses that were unfairly targeted by hackers, you’ll be interested to know that this wasn’t a particularly recent hack. Deloitte actually found out about it back in March, and there’s a good chance the hackers gained access to the email server in the fall of 2016. This means personal information may have been floating around out there for nearly a year without Deloitte’s clients having any idea. That’s a pretty big deal, but not really surprising considering we just found out Equifax knew about its own hack for over a month before alerting the 143 million people affected by it.

So, the natural question is how did this happen? The answer is simple: Deloitte’s email server did not have two-factor authentication. Seriously. Considering the extreme sensitivity of the information Deloitte is holding onto for its all-too-trusting clients, you’d think security features like two-factor authentication would be a given. But apparently the firm didn’t think it was necessary, and its clients sure are paying for that decision now.

Two-factor authentication likely would have kept the hackers from gaining access to the email server. It also would have let the account owner know someone was trying to get access to it, allowing Deloitte officials to determine if they should improve security. In a world where one of the most popular passwords is “password” and some locations of Equifax use “admin” for both the username and password, an extra layer of security is probably prudent. 

Let’s make this perfectly clear—today, any company is a potential target for hackers. Business owners, senior leaders, and IT teams need to prepare for when, not if, a hack occurs. Without question, two-factor authentication is a logical step in protecting your business information and your clients’ data. Enable that today.

And if you haven’t read my deep dive on what to do to protect yourself after the Equifax hack, you might want to check it out: How to Protect Yourself in the Wake of the Equifax Breach.

This article was first published on Converge.xyz.