'Swept under the rug': Deloitte insider says hackers infiltrated 'entire email database'

When the cyber-intrusion at Deloitte was revealed, the company's PR machine, like many before it, chose to focus on the little numbers. It wasn't the number of potentially hijacked emails that was its primary focus (millions), but instead the number of victims so far (six).

The Guardian first reported the news this week that Deloitte – one of the "big four" UK consultancy companies alongside PwC, KPMG and Ernst & Young – had been thoroughly hacked, seemingly via an administrator's business account that lacked two-factor authentication.

Its email servers had be compromised sometime in 2016, an incident that went undiscovered for months.

Later, a spokesperson said that a "very small fraction" of the five million emails stored there were stolen.

But now, a source close to the firm's investigation has told cybersecurity journalist Brian Krebs that the situation is worse than previously reported.

"I think it's unfortunate how we have handled this and swept it under the rug," the insider said.

"It wasn't a small amount of emails like reported. They accessed the entire email database."

Deloitte investigators, Krebs wrote this week (25 September), still do not know if the hackers have been fully booted from their network.

The source said that the professional services giant – formally Deloitte Touche Tohmatsu Limited – also has no idea how long the hackers were inside its systems.

The firm conducted an enforced password reset in mid-October last year, indicating that bosses were aware of the hack for some time, Krebs reported.

The probe found that in one instance "gigabytes" of data had been exfiltrated to a UK-based server.

Much remains unknown about the full scope of the attack. To date, Deloitte has publicly confirmed that six victimised clients have been notified that their data was directly impacted by the hackers – but the firm then attempted to spin the disclosure into a positive light.

'Very few clients impacted'

A spokesperson said: "In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review, including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte.

"As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators."

Its statement added: "The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte's ability to continue to serve clients, or to consumers."

Krebs' inside source, who was granted anonymity, suggested this was not the case.

Deloitte works with some of the biggest clients in the world, including banks, corporations and government agencies to conduct auditing, tax, cybersecurity and accountancy. It has headquarters in London and New York City. The investigation, it appears, remains ongoing.

The names of the victims have not yet been released.