Updated: Government Agencies Not Compromised in Deloitte Breach


The breach affected an email system that included information from several markets.

Editor's Note: This headline and story have been updated to include new information from Deloitte clarifying the nature of the data breach. For an updated report on the breach, click here.

A data breach of an email system at the consultancy and accounting firm Deloitte did not include government data, said a Deloitte spokesperson Tuesday.

The breach compromised client emails and planning documents and may also have compromised usernames, passwords, IP addresses and health information, The Guardian reported Monday.

The Guardian’s report said the breached email system included government information. Deloitte confirmed that a breach had occurred in an email to Nextgov Monday, but on Tuesday, a Deloitte spokesperson said the company had concluded that no government data was compromised—federal, state or local.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The company did not disclose which sectors were affected by the breach, though it did say it had contacted federal authorities as soon as it learned of the breach.

The Homeland Security Department, which agencies are required to alert about such a third-party breach, also did not immediately respond to requests for comment. The White House deferred comment to Homeland Security.

Hackers compromised Deloitte’s email system by gaining access to an administrator account that was protected only by a single password and did not require a second step for verification such as a unique code, security question or fingerprint or other biometric identifier, according to the report.

Two-step verification is considered a basic security measure that security advisors routinely recommend for companies and individuals.

Deloitte was a party to over $1 billion in government contracts during the 2017 fiscal year, according to a contracting database. The firm’s government clients included the Homeland Security, Defense, Justice, Treasury, Education, and Health and Human Services departments, among others.

While direct breaches of government agencies, such as the massive Office of Personnel Management breach in 2015, receive the most attention, government agencies have also frequently been victims of third-party breaches.

For example, the government severed ties in 2014 with the background check provider USIS, in the wake of a breach that compromised employee information.