Deloitte hack compromised server used by Pentagon, DHS, State and Energy departments: Report

A computer server containing the emails of several U.S. government agencies was compromised by a recently disclosed data breach targeting Deloitte, one of the world’s biggest accounting firms, The Guardian reported Tuesday.

As many as 350 of Deloitte’s international clients may have been affected by a security breach last fall, including the U.S. Departments of Defense, State, Homeland Security and Energy, among others, The Guardian reported, citing multiple sources familiar with the incident.

Hackers infiltrated Deloitte as early as October 2016 and compromised the confidential emails of several of the firm’s high-profile customers, The Guardian first reported last month.

Deloitte said at the time that six customers were told their information was “impacted” by the breach, but sources who spoke on condition of anonymity have since revealed that the compromised server contained sensitive emails and attachments involving hundreds of other clients, according to the newspaper’s latest report.

The compromised server in question contained emails concerning Deloitte clients including the handful of aforementioned U.S. government departments in addition to the U.S. Postal Service and the National Institutes of Health, as well as housing giants Fannie Mae and Freddie Mac, The Guardian reported Tuesday.

International customers that had emails on the breached server include FIFA, four global banks, three airlines, two car manufacturers, energy firms and pharmaceutical companies, among other potential victims, the report said.

Deloitte did not refute The Guardian’s findings but said that the companies and federal agencies identified hadn’t been “impacted” by the breach, the report said.

The “number of email messages targeted by the attacker was a small fraction of those stored on the platform.” Deloitte told the Guardian.

“We dispute in the strongest terms that Deloitte is ’downplaying’ the breach. We take any attack on our systems very seriously,” a spokesperson said. “We are confident that we know what information was targeted and what the hacker actually did. Very few clients were impacted, although we want to stress that even when one client is impacted, that is one client too many.

“We have concluded that the attacker is no longer in Deloitte’s systems and haven’t seen any signs of any subsequent activities,” the spokesperson said. “Our review determined what the hacker actually did. The attacker accessed data from an email platform. The review of that platform is complete.”

Headquartered in London, Deloitte is considered one of the world’s “Big Four” accounting firms alongside PwC, EY (formerly Ernst & Young) and KPMG. Deloitte earned $38.8 billion in revenue during the latest fiscal year, the company said last month — it’s best year ever in terms of total revenue, and the eight consecutive year of solid growth, according to the company.