A cyberattack hit the email system of accounting company Deloitte, compromising some clients’ data, the company acknowledged Monday.
The company said in a statement that “very few clients” were affected by the attack, which was reportedly discovered in March. It has launched an investigation into the attack, and has notified government authorities, the company said.
The Guardian newspaper reported Monday that the breached system had information from a range of clients, including large companies and U.S. government departments.
The newspaper says hackers gained access through an administrator’s account last fall and the attack was discovered in March, although it may have occurred as early as October or November 2016.
Independent journalist Brian Krebs reported Monday afternoon that all of the company’s administrative accounts, as well as its entire email system, was affected.
The breach occurred because the administrator did not have two-factor authentication, requiring only a password to sign in, ZDNet reports. Two-factor authentication would have alerted the account owner of the unauthorized access, and may have prevented the attacker from accessing it outright.
Deloitte is one of the largest private companies in the U.S., with $37 billion in revenue last fiscal year. Interestingly, one of its lines of business is offering cybersecurity advisory services to major governments and large Fortune 500 multinationals. It also advises on tax, auditing and consulting matters.
Deloitte said that no disruption “occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers” as a result of the breach.
The company says it is “deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity.”