The cyberattack that hit a server of global accounting firm Deloitte contained emails of about 350 clients, including four U.S. government departments, Fannie Mae, Freddie Mac, the United Nations and some multinationals, The Guardian reported, citing "sources with knowledge of the hack."
Deloitte told six of its clients that the cyberattack impacted their information, the publication reported in September. However, sources said the hack was probably more widespread than Deloitte admits. The sources also contested Deloitte's claim that it knew where the hackers went, adding that the company cannot be 100% sure what information was extracted.
The U.S. Departments of State, Energy, Homeland Security and Defense; the U.S. Postal Service; the National Institutes of Health; four global banks; energy giants; and big pharmaceutical companies had emails in the hacked server, according to the report. Deloitte said the attack did not affect any of those companies or government departments, but it did not deny that their information was stored in the server.
The hackers used an administrator's account to get into the system in 2017 when Deloitte was updating its email to Microsoft's cloud-based Office 365 service from an in-house system, The Guardian reported. Deloitte then did not have multifactor authentication as standard on the breached server.