Deloitte Email Breach 2017: Global Email System Compromised, Client Communications Exposed
In September 2017, The Guardian reported that Deloitte — one of the world's Big Four professional services firms — had suffered a breach of its global email system. Attackers gained access to an administrator account protected only by a single password, without multi-factor authentication. The breach reportedly exposed emails, attachments, IP addresses, architectural diagrams of client systems, health information, and credentials. Deloitte had reportedly known about the breach since March 2017 but kept it confidential until it was reported externally. The incident became a landmark case study in why MFA is non-negotiable.
The Deloitte 2017 breach: a single administrator account without MFA exposed the global email system.
What Happened
Attackers gained access to Deloitte's global email platform through a compromised administrator account. The account lacked multi-factor authentication — allowing access with credentials alone. Once inside, the attackers had access to the firm's global email system, including current and historic client communications, internal emails between staff, attachments containing sensitive client data, and information about the firm's own infrastructure. The breach reportedly exposed data relating to hundreds of thousands of emails. Deloitte identified the breach in March 2017 but the full scope took months to determine.
Key Security Failures
The Deloitte email breach involved several security failures that are common — not unique to large firms:
- No MFA on a critical administrator account — the single most significant failure; credentials alone were sufficient to access the entire email platform
- Excessive administrator access — the compromised account had access to more of the email system than was required for its function
- Delayed detection — months passed between the breach and detection; monitoring and alerting were insufficient
- Insufficient client notification — the firm was criticised for not proactively notifying all potentially affected clients
Lessons for Professional Services Firms
The Deloitte breach remains the definitive case study for professional services email security. The lessons are direct: MFA must be enabled on every account with administrative privileges, and on every user account; administrator accounts must follow least-privilege principles; email platform monitoring must be configured to alert on unusual access patterns including access from new locations and large-volume email downloads; and incident response plans must include client notification procedures.
Frequently Asked Questions
Could the Deloitte email breach happen to a smaller professional services firm?
Yes — and it does, regularly, to firms of all sizes. The attack vector (compromised admin credentials, no MFA) is the most common route into professional services email platforms. The difference is scale: a breach of a ten-person consultancy's email system may not make national news, but the consequences for clients whose confidential communications are exposed are the same. The controls required to prevent it — MFA on all accounts, particularly admin accounts — are the same regardless of firm size.
Review your email security posture
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.