Global tax and auditing firm Deloitte has confirmed the company had suffered a cyber attack that resulted in the theft of confidential information, including the private emails and documents of some of its clients.
Deloitte is one of the largest private accounting firms in the U.S. which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies and large Fortune 500 multinationals, among others.
The firm discovered the cyber attack in March, but it believes the unknown attackers may have had access to its email system since October or November 2016.
Hackers managed to gain access to the Deloitte’s email server through an administrator account that wasn’t secured using two-factor authentication (2FA), granting the attacker unrestricted access to Deloitte’s Microsoft-hosted email mailboxes.
Besides emails, hackers also may have had potential access to “usernames, passwords, IP addresses, architectural diagrams for businesses and health information.”
“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a Deloitte spokesperson told the newspaper.
Deloitte’s internal investigation into the cyber incident is still ongoing, and the firm has reportedly informed only six of its clients that their information was “impacted” by the breach.
Deloitte has become the latest of the victim of the high-profile cyber attack. Just last month, Equifax publicly disclosed a breach of its systems that exposed personal data of as many as 143 million US customers.
Moreover, last week the U.S. Securities and Exchange Commission (SEC) also disclosed that hackers managed to hack its financial document filing system and illegally profited from the stolen information.