德勤被黑事件，目前能知道些什么？

本周一的爆炸性新闻报道称，德勤（Deloitte）遭到了大规模的网络攻击，电子邮件系统和某些客户的档案遭到泄露。这一消息对于全球“四大”会计和咨询公司之一而言，可谓是一大丑闻——尤其德勤的主要业务之一就是提供网络安全咨询。

整个黑客事件的波及范围目前尚不清楚，不过细节已经开始浮出水面，其中包括布莱恩•克雷布斯提供的消息。这位饱受尊敬的安全记者表示他获得了与德勤来往密切的消息源的说法。以下的问答环节展示了关于这次最新的备受瞩目的安全攻击，我们所知道和不知道的内容。

黑客偷走了什么？

德勤遭到攻击的最初新闻来源于《卫报》（Guardian），其中指出黑客盗得了“部分蓝筹客户的机密邮件和计划”。公司回应称自己确实遭到了网络攻击，但是淡化了事态的严重性，表示“只有极少数客户受到了影响”。

然而，克雷布斯援引与德勤来往密切的消息源的说法，表示攻击造成的影响很可能比这更严重。消息源声称，黑客进入了公司全部的内部邮件数据库和所有的管理员账号。更糟糕的是，他们似乎还转移或复制了相当一部分机密数据：

这个消息源还表示，司法调查者已经确认有数GB的数据被传到了英国的某个服务器上，并进一步指出，黑客自由入侵网络已有“很长时间”，德勤还不知道究竟有多少数据遭窃。

与此同时，克雷布斯的消息源也称德勤还没确定攻击的涉及范围。

哪些公司受到了影响？

德勤只称他们通知了六家公司和一些政府机构，但没有透露这些机构的名字。《卫报》补充道这些公司都家喻户晓，但同样没有提供进一步细节。

德勤这类公司会给金融、制药、媒体等行业的跨国巨头提供咨询，所以潜在的受害者有很多。而且实际上的受害者可能也不止六家，尤其是考虑到德勤还没有完全弄清这次攻击的真相。

攻击带来的影响有多糟糕？

对德勤来说，非常糟糕。公司网络安全咨询业务的声誉将会受损，不仅仅是因为公司被入侵了。如果《卫报》报道的信息属实，那么德勤并未采用双重认证等基础的安全措施。公司似乎还使用了单一密码来保护大量数据。

对德勤的客户而言，危害的程度还不太清楚。如果黑客确实掌握了所有德勤的电子邮件，这些信息可能会泄露客户机密的公司战略或敏感的知识产权。与此同时，骗子可以利用其中所有的邮件地址，针对顶层高管进行网络钓鱼。

我们什么时候能知道更多？

报告指出，德勤早在去年10月就知道情况有些不对劲。所以几乎可以肯定，公司掌握的消息比披露出来的更多。德勤发表了一份声明作为对《卫报》的回应，，不过尚未对克雷布斯提供的细节有所说明。

我们期待着德勤在未来透露更多，不过安全圈子内外也可能会流出更多消息。 （财富中文网）

译者：严匡正

A bombshell report on Monday revealed that Deloitte was hit by a major cyber attack that compromised its email system and certain client records. The news is a major black eye for one of the world’s “big four” accountancy and consulting firms—especially since a major part of Deloitte’s business is selling cyber security.

The full extent of the hacking episode isn’t clear, but details are beginning to trickle out, including from Brian Krebs, a well-respected security journalist who says he has heard from sources close to the Deloitte. Here’s a Q&A about we know and don’t know about the latest high profile security attack.

What did the hackers steal?

The initial report of the Deloitte breach came from the Guardian, which revealed hackers had compromised the “confidential emails and plans of some of its blue-chip clients.” In response, the firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.”

Krebs, however, cites sources close to Deloitte who suggest the hack was likely more severe than that. The sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts. Worse, it appears the hackers transferred or copied a significant amount of that confidential data:

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

Meanwhile, Krebs’ sources say Deloitte has yet to identify the full pervasiveness of the attack.

What companies are affected?

Deloitte has only said it notified six companies and some government agencies, but it has not identified them. The Guardian adds that those companies are household names, but likewise doesn’t provide further details.

A firm like Deloitte advises giant multinationals in sectors like finance, pharma, and media, so the length of potential victims is long. It’s also possible the list of actual victims will come to number more than six—especially if Deloitte has yet to get to the bottom of the hack.

How bad is this?

For Deloitte, it’s very bad. The reputation of company’s cyber-security consulting business will take a hit, and not just because it got breached. If details in the Guardian’s report are true, Deloitte failed to deploy elementary security measures such as requiring two-factor authentication. The firm also appears to have guarded large pools of data with a single password.

For Deloitte’s clients, the extent of the harm is less clear. If hackers indeed got hold of all of Deloitte’s emails, those messages may have revealed their client’s secret corporate strategies or sensitive intellectual property. Meanwhile, all of those email addresses would provide crooks with ample opportunities for spear-phishing scams targeted at top executives.

When will we know more?

Reports suggests Deloitte knew something was amiss as long ago as last October so the firm almost certainly knows more than it is disclosing. In response to the Guardian’s report, the company issued a statement but has yet to address the additional details described by Krebs.

Look for more information to trickle out in coming days from the company, but also in the form of leaks from the security community and beyond.