Deloitte denies Cl0p data breach impacted client data in wake of MOVEit attack

Deloitte logo pictured on a sign outside the company's offices in London
(Image credit: Getty Images)

Deloitte has refuted claims that the Cl0p ransomware gang has breached its systems and stolen client data amid speculation online. 

The accountancy firm was cited as a victim on Cl0p’s breach disclosure blog, sparking concerns that clients at the consultancy could be at risk. 

In its disclosure, Cl0p claimed “the company doesn’t care about its customers” and that it “ignored their security”.

The claims come amid a flurry of breach disclosures from Cl0p in the wake of the MOVEit breach, which so far has affected hundreds of companies globally. 

Last month, the group claimed to have compromised systems at EY and PwC, two of the other ‘Big Four’ accountancy firms. 

At the time of writing, Cl0p still has both companies listed on its blog along with an array of download options for files the cyber criminal outfit claims to have stolen from them.

However, in a statement given to ITPro, Deloitte has denied suggestions that it had suffered a breach off the back of the global security incident. 

A spokesperson for the firm said in the aftermath of the attack it took immediate action to apply security updates according to the vendor’s guidance and has mitigated risks to clients. 

“Immediately upon becoming aware of this zero-day vulnerability, Deloitte applied the vendor’s security updates and performed mitigating actions in accordance with the vendor’s guidance." 

RELATED RESOURCE

Black whitepaper cover with strapline and image of man's face overlaid looking in different directions

(Image credit: Mimecast)

The state of email security 2023

Get the latest insights from 1,700 CISOs and other IT professionals as they present a realistic picture of the steps they are taking to protect their organizations


DOWNLOAD FOR FREE

Deloitte also said that it conducted an investigation into the possibility of a breach in the wake of the MOVEit incident, but has thus far determined that no client data has been impacted. 

The spokesperson noted that the firm’s use of the file transfer software was “limited”. 

“Our analysis determined that our global network use of the vulnerable MOVEit Transfer software is limited,” they said. “Having conducted our analysis, we have seen no evidence of impact to client data.”

Deloitte's page on Cl0p's website does not yet feature download links for files. This could indicate that Deloitte's assessment is correct and Cl0p has not managed to access client data.

It could also mean that Cl0p is still waiting to negotiate a payment from Deloitte for any data it was able to steal during an attack. Deloitte said client data is believed to be unaffected but in multiple recent Cl0p-associated incidents, data stolen from victims has concerned internal staff rather than clients.

Cl0p has also been linked with the earlier GoAnywhere breach which saw the Pension Protection Fund also lose data related to current and former staff, but not current members.

MOVEit attack - what happened?

News of the MOVEit attack emerged in late May amid speculation that a zero-day vulnerability in the transfer software had been exploited by threat actors. 

Security researchers at Microsoft quickly identified Cl0p as the group behind the attack, and the incident began to spiral out of control.

Within days, several major organizations globally revealed they had been impacted by the breach, including payroll provider Zellis.

This sparked a series of subsequent breaches at a host of major organizations globally, with the number of victims rising to 513 at the time of writing, according to Emsisoft's figures.

To date, hundreds of organizations spanning a number of industries have been affected by the breach. 

Cl0p has added nearly 50 victims to its list in the last week alone, including Toyota’s European subsidiary and Virgin Pulse. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.