本周一的爆炸性新聞報道稱，德勤（Deloitte）遭到了大規模的網絡攻擊，電子郵件系統和某些客戶的檔案遭到泄露。這一消息對于全球“四大”會計和咨詢公司之一而言，可謂是一大丑聞——尤其德勤的主要業務之一就是提供網絡安全咨詢。

整個黑客事件的波及范圍目前尚不清楚，不過細節已經開始浮出水面，其中包括布萊恩?克雷布斯提供的消息。這位飽受尊敬的安全記者表示他獲得了與德勤來往密切的消息源的說法。以下的問答環節展示了關于這次最新的備受矚目的安全攻擊，我們所知道和不知道的內容。

黑客偷走了什么？

德勤遭到攻擊的最初新聞來源于《衛報》（Guardian），其中指出黑客盜得了“部分藍籌客戶的機密郵件和計劃”。公司回應稱自己確實遭到了網絡攻擊，但是淡化了事態的嚴重性，表示“只有極少數客戶受到了影響”。

然而，克雷布斯援引與德勤來往密切的消息源的說法，表示攻擊造成的影響很可能比這更嚴重。消息源聲稱，黑客進入了公司全部的內部郵件數據庫和所有的管理員賬號。更糟糕的是，他們似乎還轉移或復制了相當一部分機密數據：

這個消息源還表示，司法調查者已經確認有數GB的數據被傳到了英國的某個服務器上，并進一步指出，黑客自由入侵網絡已有“很長時間”，德勤還不知道究竟有多少數據遭竊。

與此同時，克雷布斯的消息源也稱德勤還沒確定攻擊的涉及范圍。

哪些公司受到了影響？

德勤只稱他們通知了六家公司和一些政府機構，但沒有透露這些機構的名字。《衛報》補充道這些公司都家喻戶曉，但同樣沒有提供進一步細節。

德勤這類公司會給金融、制藥、媒體等行業的跨國巨頭提供咨詢，所以潛在的受害者有很多。而且實際上的受害者可能也不止六家，尤其是考慮到德勤還沒有完全弄清這次攻擊的真相。

攻擊帶來的影響有多糟糕？

對德勤來說，非常糟糕。公司網絡安全咨詢業務的聲譽將會受損，不僅僅是因為公司被入侵了。如果《衛報》報道的信息屬實，那么德勤并未采用雙重認證等基礎的安全措施。公司似乎還使用了單一密碼來保護大量數據。

對德勤的客戶而言，危害的程度還不太清楚。如果黑客確實掌握了所有德勤的電子郵件，這些信息可能會泄露客戶機密的公司戰略或敏感的知識產權。與此同時，騙子可以利用其中所有的郵件地址，針對頂層高管進行網絡釣魚。

我們什么時候能知道更多？

報告指出，德勤早在去年10月就知道情況有些不對勁。所以幾乎可以肯定，公司掌握的消息比披露出來的更多。德勤發表了一份聲明作為對《衛報》的回應，，不過尚未對克雷布斯提供的細節有所說明。

我們期待著德勤在未來透露更多，不過安全圈子內外也可能會流出更多消息。 （財富中文網）

譯者：嚴匡正

A bombshell report on Monday revealed that Deloitte was hit by a major cyber attack that compromised its email system and certain client records. The news is a major black eye for one of the world’s “big four” accountancy and consulting firms—especially since a major part of Deloitte’s business is selling cyber security.

The full extent of the hacking episode isn’t clear, but details are beginning to trickle out, including from Brian Krebs, a well-respected security journalist who says he has heard from sources close to the Deloitte. Here’s a Q&A about we know and don’t know about the latest high profile security attack.

What did the hackers steal?

The initial report of the Deloitte breach came from the Guardian, which revealed hackers had compromised the “confidential emails and plans of some of its blue-chip clients.” In response, the firm confirmed it had suffered a cyber-attack, but played down the significance by saying “only very few clients were impacted.”

Krebs, however, cites sources close to Deloitte who suggest the hack was likely more severe than that. The sources claimed the hackers accessed the entirety of the firm’s internal email database, and all administrative accounts. Worse, it appears the hackers transferred or copied a significant amount of that confidential data:

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

Meanwhile, Krebs’ sources say Deloitte has yet to identify the full pervasiveness of the attack.

What companies are affected?

Deloitte has only said it notified six companies and some government agencies, but it has not identified them. The Guardian adds that those companies are household names, but likewise doesn’t provide further details.

A firm like Deloitte advises giant multinationals in sectors like finance, pharma, and media, so the length of potential victims is long. It’s also possible the list of actual victims will come to number more than six—especially if Deloitte has yet to get to the bottom of the hack.

How bad is this?

For Deloitte, it’s very bad. The reputation of company’s cyber-security consulting business will take a hit, and not just because it got breached. If details in the Guardian’s report are true, Deloitte failed to deploy elementary security measures such as requiring two-factor authentication. The firm also appears to have guarded large pools of data with a single password.

For Deloitte’s clients, the extent of the harm is less clear. If hackers indeed got hold of all of Deloitte’s emails, those messages may have revealed their client’s secret corporate strategies or sensitive intellectual property. Meanwhile, all of those email addresses would provide crooks with ample opportunities for spear-phishing scams targeted at top executives.

When will we know more?

Reports suggests Deloitte knew something was amiss as long ago as last October so the firm almost certainly knows more than it is disclosing. In response to the Guardian’s report, the company issued a statement but has yet to address the additional details described by Krebs.

Look for more information to trickle out in coming days from the company, but also in the form of leaks from the security community and beyond.