The breach, which was US-focused, could have given hackers access to all areas, usernames, passwords, IP addresses, architectural diagrams for business and health information.
The Guardian said the firm discovered the hack in March, but the cyber attackers could have hacked into its systems as far back as October or November 2016.
The hack, which compromised the company’s global email service through an “administrator account,” required only a single password and lacked a “two-step” verification, sources told the Guardian who first reported the hack.
— CNET (@CNET) September 25, 2017
At least six of Deloitte’s clients have been told their information was “impacted” by the hack that exposed some 5 million emails.
A Deloitte spokeswoman said, however, that “only very few clients” were affected.
“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client business, to Deloitte’s ability to continue to serve clients, or to consumers,” the spokeswoman said, according to Reuters.
The internal review, “Windham,” has involved specialists analyzing documents for six months trying to map out exactly where hackers went by analyzing the electronic footprint of searches that were made. The team is said to be working out of the Rosslyn, Virginia office.
The internal review is still ongoing and so far it is not known who is responsible: whether it was a lone wolf, a business rival or the result of a state-sponsored hacker.
Deloitte is one of the world’s big four accounting firms. Headquartered in New York, it reported a record $37 billion in revenue last year.
The company provides auditing, tax consultancy and high-end cybersecurity advice to large banks, global firms, and US government agencies, among others.
Earlier this month, Equifax, the US credit monitoring agency, admitted the personal data of 143 million US customers had been accessed or stolen in a massive hack in May. It also revealed it was also the victim of an earlier breach in March.