High-profile clients of accounting firm Deloitte may have had their personal information exposed in a hack of the company’s systems, potentially leaking private emails, usernames, passwords, health information, private business plans and more.
Deloitte is one of the largest accounting firms in the world, providing auditing, tax guidance and more to companies, banks and government agencies. The New York-based firm had its email server breached with an administrator account from late 2016 until March of this year, according to The Guardian.
Citing unnamed sources, the report revealed that Deloitte did not have two-step verification enabled for the account, allowing hackers to apparently breach the email server with just a single password.
The hack exposed some 5 million emails sent to and from Deloitte staff. So far, at least six Deloitte clients have been advised that their information was affected by the security breach.
Deloitte issued a statement saying that “very few clients” were “impacted” by the incident. The company has notified both governmental authorities and regulators.
“We remain deeply committed to ensuring that our cybersecurity defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity,” the company said. “We will continue to evaluate this matter and take additional steps as required.”
The breach comes on the heels of the Equifax hack, which may have exposed up to 143 million people’s Social Security numbers, birth dates, addresses, driver’s license numbers and more. Affecting nearly 60 percent of adults in America, the Equifax hack is one of the largest and most dangerous in history.
OWI Labs Principal Analyst Kaelyn Lowmaster warned in an op-ed last week that the Equifax hack is just the beginning, highlighting how supposedly trusted organizations like credit bureaus can and do bungle management and safety of personal data. As one of the “Big Four” accounting firms around the globe, Deloitte is likewise trusted with valuable and sensitive information of its clients, making the breach potentially devastating to the company’s brand and reputation.