Warning: Data Breaches In News Always Worse Than They First Appear

Not too long ago news broke of yet another substantial data breach. This time at financial consultancy Deloitte — one of the so-called big four accounting firms. On Sept 25, Deloitte announced that it had detected a breach stemming from an inadequately secured administrative email system that gave the attacker(s) access to the firm’s global email system.

Deloitte says the breach was identified in March. Deloitte’s statement came a few days after the Guardian ran a news story saying that the firm was breached. The Guardian reported that the breach could go as far back to October 2016. Deloitte hasn’t had much to say regarding any particulars or details on the breach to date.

While there has been a lot of attention paid to the six Deloitte clients who had information affected by the breach, in its story, the Guardian reported that “hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.”

“The breach is believed to have been US-focused and was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed,” the Guardian reported.

According to reporting by independent cybersecurity site Krebsonsecurity.com, “information shared by a person with direct knowledge of the incident said the company in fact does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems,” Krebs reported.

“This source, speaking on condition of anonymity, said the team investigating the breach focused their attention on a company office in Nashville known as the “Hermitage,” where the breach is thought to have begun,” Krebs reported.

Krebs also shared a screenshot from a password reset demand sent out to all U.S.-based Deloitte employees. That request required passwords be resent by Oct. 17, 2016.

This news is bad enough: but it’s likely to get worse. As is the case in many significant data breaches — they tend to get worse as time goes on.

There’s already news starting to surface that evidence exists bad-doers may have been snooping around Deloitte more broadly and for longer than the fall of 2016. The Register reported what seemed to be a collection of Deloitte's corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes,” the news site reported.

According to The Register, potential critical systems were discovered publicly-facing with remote access enabled. “Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register. “We’re talking dozens of business units around the planet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes to mind,” he was quoted as saying by The Register.

Not of that looks particularly good, and it’s why it’s a reasonable bet to expect more bad news to come. Just last week the news broke that the 2013 breach from Yahoo!, which was reported four years ago to involve 1 billion users, has swelled to include every Yahoo! Account and now tops 3 billion accounts affected.

This is not particularly uncommon, unfortunately. In 2012, a serious breach at LinkedIn was initially announced as having 6.5 million affected accounts, by 2016 the affected account number grew to 117 million. The breach at retail giant Target revised the amount of affected accounts up to 70 million from the original 40 million announced.

While not as big of a bump as many of the other after-the-fact data breach recounts, U.S. cybersecurity firm Mandiant updated its investigation to include an additional 2.5 million people.

These are just a small sampling of breaches, to be sure. And not every breach is worse than what is first reported. But be aware that there are good chances that the initial reports have, in fact, a great chance of getting worse over time and as the investigations complete.