Tag: Deloitte

September 2017: Security Breaches

September 2017 has been an interesting month for many important security breaches. We all learned the value of our personal information. From now, I will publish a monthly post about the major security breaches from the previous month.


Equifax is a consumer credit reporting agency and they had a recurrent unauthorized access to their systems from May 13th to July 30th. The technical teams knew about the vulnerability exploited since they even got a memo on March 9th to patch it (Apache Structs CVE-2017-5638). Even then, the security team detected the situation only on July 29th. The CEO learned about the situation on July 31st. The board of directors got the news on August 24th and 25th. It is only on September 7th that Equifax disclosed the security breach to the public.

143 million (143 000 000, yes, six zeros) records on Americans were stolen, including names, social insurance numbers (SIN), dates of birth, and even some driver licences. After the investigation, it is now 145.5 million, and now including some credit card numbers for 209 000 consumers. In Canada, we are a little luckier since it was at first announced to be 100 000 consumers impacted, but the revised number after the investigation was more 8 000 consumers.

The CEO took an early retirement with many executives including the Chief Information Officer (CIO) and Chief Security Officer (CSO). Equifax will also face many lawsuits in both Canada and the US. The then CEO will even have to testify in front of Congress. There are also some interrogations about executives selling their stock options following the detection of the security breach. Since the hack was not publicly disclosed, these people could face charges for insider trading.

US Securities and Exchange Commission (SEC)

This US federal agency is mainly responsible for enforcing securities laws and regulating the securities industry. The Commission discovered a software vulnerability in 2016 and was “promptly” patched. However, the SEC disclosed a possible incident since they believe that an unauthorized access still occurred before being able to apply the patch. No access to personally identifiable information (PII), but sensitive nonpublic information related to companies. An official statement was published on September 21st.


One of the “Big 4” accountancy firms was also targeted this month. The news was published by the Guardian on September 25th. Deloitte is often the firm, among the Big 4, which is the most well-known for their services in cybersecurity. The firm’s clients include 80 percent of the Fortune 500. The unauthorized access occurred on the firm’s global email server hosted on Microsoft Azure. And this, probably since October or November 2016.

Nothing too complicated this time, hackers simply got an administrative account credential. After that, it was possible to login directly on the email server accessing emails to and from Deloitte’s 244,000 staff. Many of these emails probably contain sensitive information about their clients and even, some interesting attachments. The system was not compromised in a technical manner, but simply by social engineering technique in order to obtain credentials. Furthermore, without two-factor authentication (2FA), it was easy to login remotely.


Sonic is a major fast-food chain in the US with nearly 3 600 locations. Brian Krebs was the first one to report this security breach on September 26th. Their credit card processor informed them about unusual activity related to their transactions. It is still unclear how the security breach occurred. However, it was possible to find at least 5 million credit and debit card accounts for sale online. These are probably related to the Sonic security breach.

Whole Foods Market

Whole Foods Market, which is owned by Amazon, also disclosed on September 28th that some payment card information had been stolen. The investigation is still ongoing, and we should have more information soon. An interesting point mentioned in the press release is the fact that Amazon.com systems are not connected to the ones at Whole Foods.

Past 3 years, and a new beginning

It has been a little more than 3 years since I graduated from my bachelor degree. I must admit, it has not been always simple to figure out what I wanted to do. It could have been easier, but overall, I understand now why those different experiences were required for me.


In 2014, I got my first full-time job related to my bachelor, and it took me almost a year after graduation to finally receive an offer. It was not an offer from the smallest organization, but for one of the largest professional services firm. I will always be grateful to Deloitte that gave me an opportunity. However, after a year there, in 2015, I was kind of lost, and I left. I must say that I have worked mostly as an independent consultant between 2003 to 2014. To work for a firm, it was a huge change, and I was definitely not ready for that commitment as a recent graduate. I was also not sure about the kind of work I wanted to do.

During that year working for the firm, I was always asking myself so many questions. What would it have been to do something else? I was not sure about the path that I wanted to take. More technical or business? I was not even sure if I wanted to pursue my own projects. Before, I have to say that I was doing mostly technical mandates related to web development and infrastructure maintenance.


After Deloitte, I had the possibility to work with a startup, Nukern, developing a SaaS application related to hosting automation and billing. I was only there maybe for 8 months, but it has been a great experience. I also had to manage a small team for the first time. Again, I was probably not at the right place, at the right time. I was honestly probably not ready to invest as much time in a startup that I was not a co-founder.


More recently, I developed Kantoku, an IT GRC application that allows organizations to manage their assets, risks, controls, documents, compliance requirements and audits. I am really proud of this application, and it was also the beginning for my own company. Throughout the years, I did so many projects on the web. However, Kantoku is really different in a way that it is directly related to my professional field. Nonetheless, I am not quite ready to be working full-time on Kantoku. More about that in a further post. I also did a few consulting mandates during that time.


Anyhow, I was looking to go back full-time as an employee after finishing Kantoku development. I am really proud to say that I got an amazing offer from PwC as a senior associate for their Montreal office. I am definitely looking forward to this new opportunity, and I consider myself lucky to have that second chance in a Big 4.

With this post, I wanted to point out that it is not always as straightforward after university. I had a well-defined plan in my head during my bachelor, but it did not work out exactly how I was expecting it. But, I am sure that it was for the best, and I would probably do the same choices. Now, time for a new beginning.