The hack, which The Guardian newspaper in London revealed first, appears to have impacted the company’s email system. Deloitte told the paper that the hack had compromised only a fraction of its emails and very few customers. The firm has notified six customers of the attack, according to The Guardian.
Jonathan Gandal, a spokesperson for Deloitte, told Government Technology in an email that none of the firm's government clients was impacted. Gandal said Deloitte turned to cybersecurity and privacy experts both inside and outside the company as part of its review of the incident and notified "governmental authorities immediately after it became aware of the incident."
"No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers," Gandal wrote in the email.
But an anonymous source speaking with notable cybersecurity blogger and former Washington Post reporter Brian Krebs offered a slightly different story. According to the KrebsOnSecurity blog, the source said the hackers gained access to the firm’s entire email system.
Deloitte works extensively with government entities in the U.S., including states, and serves as a systems integrator on many major technology deployments across the country. A sampling of recent activity in the U.S. from the Center for Digital Government’s* procurement activity database: In June, it won a $15 million contract with the Maryland Department of Information Technology to provide cloud services ranging from underlying architecture to software. In July it secured a contract extension for cloud services for the state of Minnesota. It’s also involved in a database migration in Colorado.
Deloitte also provides cybersecurity consulting to governments.
The Guardian described the nature of the breach as being sensitive enough that Deloitte informed only a handful of senior partners and lawyers about it. The timing of the hack is unclear — according to the article, Deloitte appears to have discovered the infiltration in March 2017, but the original attack might have happened in October or November 2016.
The firm didn’t disclose which clients were affected or what type of clients were exposed. According to The Guardian, the company has notified some government regulators about the hack.
*The Center for Digital Government is part of e.Republic, Government Technology's parent company.