Deloitte, one of the world’s “big four” accountancy firms, has been hit by a cyber attack that reportedly went unnoticed for months and compromised the confidential data of a number of its blue-chip clients.
The hack was first reported by the Guardian on Monday (25 September), which detailed how the attackers accessed data from the company’s email server.
In a statement, Deloitte confirmed that its email platform was breached but that a review of that platform “is complete”. The “intensive” review included mobilising a team of cyber-security and confidentiality experts inside and outside of Deloitte.
It said the review enabled it to understand “precisely what information was at risk” and what the hacker actually did. As a result of the review, it claims “very few clients” were impacted, and that “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers”.
The firm did not confirm the names or number of clients affected, but the Guardian reported that six clients have been contacted so far.
Deloitte is WPP's auditor. The Drum understands that WPP was only notified by Deloitte of the hack after the Guardian reported it this week. However, WPP was not one of the clients impacted.
Deloitte became aware of the hack in March this year, but attackers may have had access to its systems since as early as November 2016, the Guardian reported. The company said it contacted government authorities “immediately after it became aware of the incident”, as well as the clients impacted by the attack.
“Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security,” the firm said.
Deloitte provides accounting, auditing and consulting services, including advice on mergers and acquisitions. It also runs a cyber security business that helps customers defend their networks and investigate breaches.
The breach is the latest in a series of cyber attacks aimed at organizations that handle sensitive financial data. Government agency, US Securities and Exchange Commission (SEC), and Equifax Inc, a consumer credit reporting agency, both had confidential filings and sensitive personal data compromised by hackers this month.
In June WPP, the world’s largest advertising group, suffered a cyber attack which affected the group for around 10 days and cost the company up to £15m before insurance, its chief executive Sir Martin Sorrell revealed to The Drum this week.