Accountancy firm Deloitte was recently the victim of a cyberattack that left confidential client emails and business plans exposed, according to a Monday report from the Guardian.

According to the report, Deloitte discovered the breach in March of this year. However, it is possible that the attackers could have breached the firm’s network back in October or November 2016. Because of the sensitive nature of the breach, only senior partners and legal professionals were initially informed.

While the affected clients were not revealed, The Guardian did note that they were blue-chip clients. “The companies include household names as well as US government departments,” the report said. The breach seems to have been focused on US-based companies.

SEE: Information security incident reporting policy (Tech Pro Research)

Deloitte does business with companies in verticals such as media, banking, pharmaceuticals, and more. The Guardian reported that six Deloitte clients have already confirmed that the hack had impacted their data.

Attackers were initially able to gain access into Deloitte’s email server with an admin account that gave them unrestricted access to the network. The account itself was protected with a single password and did not have multi-factor authentication setup, The Guardian reported.

The emails were stored in Microsoft Azure. Some 5 million emails were said to have been stored in the cloud when it was compromised, but Deloitte told The Guardian that only a fraction were actually at risk.

Attackers also got access to other account credentials, IP addresses, sensitive email attachments, and “architectural diagrams for businesses and health information,” the report said.

Deloitte hired law firm Hogan Lovells back in April to begin looking into the hack. At the time of this writing, an internal review is still ongoing.

The 3 big takeaways for TechRepublic readers

  1. Accountancy firm Deloitte was the victim of a cybersecurity attack that could have put 5 million emails, and other sensitive business data at risk, The Guardian reported.
  2. The attack was discovered back in March 2017, but the attackers could have gained access as early as October 2016, the report said.
  3. Other data, such as business diagrams, were also compromised, and Deloitte’s internal review is still ongoing.