It is understood that hackers were able to use an administrator account to gain access to the firm's global email server.
The attack was believed to have been focused on the U.S operations of the company, which provides auditing, tax advice and consultancy to multinationals and governments worldwide.
The firm, which is one of Britain's "Big Four" accountancy firms, is understood to have discovered the attack in March, but hackers could have had access to the group's confidential data since October or November past year, the Guardian said. Because of the sensitive nature of the breach, only senior partners and legal professionals were initially informed. Headquartered in NY, it reported a record $37 billion in revenue past year.
Deloitte's Rosslyn, Virginia offices have been used for the last six months to carry out an investigation using the codename Windham.
The company said it has contacted "the very few clients impacted and notified governmental authorities and regulators".
Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security'.
Deloitte said in a statement that attackers accessed data from the company's email platform, confirming some details in a report by the Guardian.More news: China's August trade with North Korea surges after United Nations sanctions
More news: Hurricane Maria stays strong, Lee a Tropical Storm again
More news: One killed, seven wounded in Tennessee church shooting
The Equifax breach was discovered in July, but those potentially affected were notified only in mid-September 2017.
This breach comes weeks after Equifax, the USA credit monitoring agency, said the personal data of 143 million US customers and 100,000 Canadian costumers had been accessed or stolen in a massive cyberattack in May. This would have given the attackers full access to the company, and such accounts typically have two-factor authentication enabled. Deloitte said the number of emails that were at risk was a fraction of this number but declined to elaborate.
The team investigating the hack is understood to have been working out of the firm's offices in Rosslyn, Virginia, where analysts have been reviewing potentially compromised documents for six months.
"This is why multi-factor access control such as two-factor authentication is important, especially for admins".
If employees' stored emails were encrypted, which arguably most sensitive content should be, Pepper said it would then be impossible to decrypt each one, even with administrator access.
The internal review is still ongoing and so far it is not known who is responsible: whether it was a lone wolf, a business rival or the result of a state-sponsored hacker.
In the light of the Deloitte breach, Sam Curry, chief security officer at Cybereason, urged all corporations to build a hunting practice and to improve their security hygiene. It also alleged that "no disruption has occurred to client businesses" or to its ability to service both clients and consumers.