Big Four accounting firm Deloitte, with $37B in annual revenues, found out that it had been hacked in March, and the hackers appear to have been inside its systems (supplied by Microsoft through its Azure cloud) since the previous October or March.
The hackers had access to up to 5 million sensitive company emails and documents from across all the sectors in which Deloitte operates, "the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies."
Deloitte kept the hack internally secret, only informing "a handful" of senior partners and lawyers, as well as six clients.
The Guardian has been told the internal inquiry into how this happened has been codenamed "Windham". It has involved specialists trying to map out exactly where the hackers went by analysing the electronic trail of the searches that were made.
The team investigating the hack is understood to have been working out of the firm's offices in Rosslyn, Virginia, where analysts have been reviewing potentially compromised documents for six months.
It has yet to establish whether a lone wolf, business rivals or state-sponsored hackers were responsible.
Sources said if the hackers had been unable to cover their tracks, it should be possible to see where they went and what they compromised by regenerating their queries. This kind of reverse-engineering is not foolproof, however.
A measure of Deloitte's concern came on 27 April when it hired the US law firm Hogan Lovells on "special assignment" to review what it called "a possible cybersecurity incident".
Deloitte hit by cyber-attack revealing clients' secret emails
[Nick Hopkins/The Guardian]