Deloitte cyber attack may impact Fannie, Freddie

by Ryan Smith11 Oct 2017
A data breach at an accounting giant may have exosed information from Fannie Mae and Freddie Mac to hackers, new reports suggest. Fannie Mae, however, has said that it hasn't been affected.

The hack, revealed late last month by The Guardian, affected Deloitte, a multinational professional-services firm. The cyber attack against the company began more than a year ago, The Guardian reported.

Deloitte initially said that the hack had only affected six of its clients. However, sources with knowledge of the attack have told The Guardian that the hack may have been far more widespread than Deloitte has admitted, and that hackers compromised a server containing the emails of about 350 clients – including Fannie Mae, Freddie Mac, and several US government agencies.

According to The Guardian, Fannie and Freddie weren’t the only US concerns made vulnerable in the hack. Others included:
  • The departments of state, homeland security, energy and defense
  • The postal service
  • The National Institutes of Health
The United Nations and some of the world’s largest multinational corporations were also exposed in the hack, The Guardian reported.

While Deloitte didn’t deny that Fannie, Freddie and the other organizations had information in the system that was targeted by the hackers, the company insisted that none of those organizations were “impacted” by the breach. Deloitte told The Guardian that “the number of email messages targeted by the attacker was a small fraction of those stored on the platform.” That statement, however, was contested by the newspaper’s other sources.

The hackers apparently gained access to Deloitte’s system in the fall of 2016, using an administrator account that may have given them access to the company’s entire email database. In addition to emails, the hackers may have been able to access passwords, usernames, and other confidential information, The Guardian reported.

Fannie Mae said that the Deloitte hack does not seem to have affected it. 

"Fannie Mae is aware of the Deloitte cybersecurity incident initially announced on Monday, September 25," the GSE said in a statement emailed to MPA. "At this time, we are not aware of any impact to Fannie Mae data or systems due to the incident. We are working with Deloitte to assess the situation and continue to monitor closely."

Deloitte also said the GSE wasn't affected by the breach.

“Deloitte confirms that Federal National Mortgage Association (Fannie Mae) was not impacted by the cyber incident reported in the media on 9/25/2017 and subsequently on 10/10/2017," the company wrote in an emailed statement.

Editor's note: This story has been updated to include comments from Fannie Mae and Deloitte.

Related stories:
Credit union group sues Equifax over data breach
Equifax breach a reminder about security


Should CFPB have more supervision over credit agencies?