Deloitte hacking

03 November 2017

In September media reports revealed that accountancy and consulting firm Deloitte had been hit by a cyber attack, potentially exposing personal data related to clients.

According to the Guardian newspaper, the cyber attack compromised a server that contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world’s biggest multinationals. However, Deloitte says that only six clients were directly affected by the breach, adding that a fraction of emails on the platform were targeted by the attacker. 

The attack reportedly started in autumn 2016, when Deloitte was migrating and updating its email from an in-house system to Microsoft’s cloud-based service. The hackers accessed Deloitte’s email database via an administrator’s account, giving potential access to usernames, passwords, IP addresses, as well as businesses and health information. 


The incident, which followed the massive breach at US credit monitoring firm Equifax, shows that even when a company invests massively in cyber security it is still vulnerable to an attack. 

According to Gartner, Deloitte is the world’s largest cyber security consultant with USD 2.86 billion in cyber security fees in 2016. They advise some of the world’s largest companies on how best to secure their systems and sensitive data from hackers. Equifax is also a big player in the breach response market, providing identity theft and credit monitoring services. 

Equifax announced in September that hackers had stolen personal data on 143 million US citizens and almost 700,000 in the UK between mid-May and July. Both Deloitte and Equifax are under investigation by New York State’s Attorney General over the cyber attacks, while Equifax also faces regulatory investigation in the UK and public and private litigation in the US. 

These two attacks add to a string of cyber attacks in 2017 that have affected retailers, financial services firms and technology companies. In September the Securities and Exchange Commission revealed a cyber attack last year that may have exposed sensitive information on publically traded companies.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on



Find out more

Read our Cyber Risks & Insurance Insights

Read more

Receive our monthly cyber risk newsletter