The Guardian reported Monday that six Deloitte clients had information breached by a sophisticated attack and hackers potentially had access to usernames, passwords, IP addresses, architectural diagrams for business.
Responding to questions from the Guardian, Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been "impacted".
The cyberattack focused on the USA operations of the company, which provides auditing, tax advice and consultancy to multinationals and governments worldwide, the report said.
The company also believes that hackers may have access to email system since October or November 2016.
While information is scant and Deloitte has yet to confirm specific details of what happened, experts said that the compromise of a global email server should be a wake-up call for corporations to, at a minimum, have two-step authentication in place for privileged accounts.
The company said in a statement that "very few clients" were affected by the attack, which was reportedly discovered in March.
The team investigating the breach has been reviewing potentially compromised documents for six months, but the attackers have yet to be identified, according to reports.
The company says it is "deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity".
"We will continue to evaluate this matter and take additional steps as required".
It is not known which government departments have been affected by the attack, and it's not clear whether this was a state-sponsored hack. It has also revealed it was also the victim of an earlier breach in March.
News of the hack comes two weeks after credit reporting firm Equifax acknowledged a breach that may have impacted up to 143 million Americans, an incident that has put the spotlight on cyber threats to major private sector entities. "The companies include household names as well as U.S. government departments", the report said. The company did not name the clients, confirm the number of clients it had contacted or say what type of data was stolen.