Accountancy firm Deloitte has been a victim of a cybersecurity attack that went unnoticed for months, according to The Guardian which was first to report the incident.
The Guardian reveals that the hack compromised confidential emails and plans of the accountancy firm’s clients. Deloitte, which confirmed the incident to The Guardian, said that only a small number of clients has been “impacted” and that six of the have already been informed of the incident.
According to The Guardian, Deloitte discovered the hack in March this year, but attackers may have had access to the company’s global cloud-based email system since October or November 2016. The hacker used an “administrator’s account” that gave them privileged, unrestricted “access to all areas."
The account required only a single password and did not have “two-step“ verification, sources told The Guardian.
The breach, believed to be U.S.-focused and very sensitive that only a few of Deloitte’s most senior partners and lawyers were informed, according to The Guardian.
It is not yet known whether the hack was committed by a lone wolf, business rival or a government, reports The Guardian.
In a statement regarding the cyber incident, a Deloitte spokesman noted that the company has implemented its comprehensive security protocol and began an intensive and thorough review including mobilizing a team of cybersecurity and confidentiality experts inside and outside of Deloitte.
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.
“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.
“We remain deeply committed to ensuring that our cybersecurity defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required.
“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”