It was discovered in March this year and could have begun as early as October 2016, according to the Guardian. This would have given the attackers full access to the company, and such accounts typically have two-factor authentication enabled.
"As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators".
Deloitte said "very few" clients were impacted, and has drafted outside help to review its security. "No disruption has occurred to client business, to Deloitte's ability to continue to serve, or to consumers".
The hacker infiltrated the company's email server via an administrator's account that did not have two-step verification.
According to the Guardian, some company clients, including major companies and US government entities, had information in the company's email system at the time of the breach. The team is said to be working out of the Rosslyn, Virginia office.
The Guardian - which first broke the story - says that the attack was focused on the United States side of Deloitte's operations, and data belonging to banks, multinationals, media enterprises, pharmaceutical firms and government agencies was included in the breach. Internal investigators say they've been able to follow an electronic trail that shows major clients were the point of interest. "We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity." the company statement added.
This breach comes weeks after Equifax, the US credit monitoring agency, said the personal data of 143 million USA customers and 100,000 Canadian costumers had been accessed or stolen in a massive cyberattack in May. As is so often the case, you can have the most fool-proof security operations around, but if some fool doesn't use two-factor authentication, you're a sitting duck.
The Guardian was told an estimated 5m emails were in the "cloud" and could have been been accessed by the hackers.
Other data, such as business diagrams, were also compromised, and Deloitte's internal review is still ongoing.