An attacker compromised a single Deloitte administrator account that lacked multi-factor authentication, granting access to Deloitte’s global email server hosted on Microsoft Azure. The breach gave access to all of Deloitte’s email — approximately 244,000 staff globally. The attacker had potential access to emails, attachments, usernames, passwords, IP addresses, business plans, and health information from Deloitte’s blue-chip clients (which include some of the world’s largest banks, multinational corporations, media enterprises, and government agencies). Deloitte discovered the breach in March 2017, having been compromised since at least October 2016. The company notified a ‘handful’ of clients whose information may have been exfiltrated. Deloitte hired Hogan Lovells law firm to conduct an external review and work with law enforcement, keeping the investigation confidential. The breach was revealed publicly by The Guardian in September 2017. Deloitte disputed some reporting, stating the breach was confined to a small number of clients and limited data. The exposure of privileged client communications at one of the world’s ‘Big Four’ professional services firms — which audits and consults for governments and major financial institutions — raised significant questions about the security of sensitive client data at major consulting firms. The use of a single compromised admin account without MFA was particularly notable given Deloitte’s cybersecurity advisory practice.