The report said Deloitte learned of the security breach in March and that hacking activities could have started since October 2016 and appeared to home in on the company’s U.S. operations.
Sources said the administrator’s account used in the hack did not require a two-step authentication process and that hackers may have accessed passwords, usernames and other personal information of some of the firm’s clients.
The New York-based professional services firm notified six of its clients that were “impacted” by the data breach, the report added.
Reuters also reported that Deloitte issued a statement saying it has been in touch with the “very few clients” affected by the hack and has informed government regulators and authorities.
The company said it carried out a “cybersecurity security protocol” following the discovery of the cyber incident and tapped internal and external professionals to facilitate response to the breach.
News on the Deloitte hack came days after Securities and Exchange Commission Chairman Jay Clayton disclosed a 2016 cyber breach of a component of SEC’s Electronic Data Gathering, Analysis and Retrieval system.