At least six of Deloitte's clients have been told their information was "impacted" by the hack that exposed some 5 million emails.
The newspaper says hackers gained access through an administrator's account last fall and the attack was discovered in March, although it may have occurred as early as October or November 2016.
The breach, which was US-focused, could have given hackers access to all areas, usernames, passwords, IP addresses, architectural diagrams for business and health information.
This is especially embarrassing for a firm that prides itself on helping other companies thwart online cybersecurity attacks.
The financial regulatory agency said its network was hacked past year, possibly allowing intruders to make money by seeing crucial financial information before everyone else.
A hacker, or group of hackers, was able to break into Deloitte's systems by compromising an email server via an "administrator's account".
Maine's Collins puts another nail in coffin of Obamacare repeal
Trump and McConnell both back unusual , but supporters and associates of Trump, including former chief strategist Stephen K. At the core of the Cassidy-Graham plan is a maneuver to turn funding for the ACA into block grants for states.
Deloitte's auditing, tax consultancy and cyber security clients include banks, multinational media enterprises, pharmaceutical firms and government agencies.
Deloitte hasn't stated which of its clients, which include United States government agencies, have been impacted, but said, "As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators".
Deloitte claims that only a small fraction of its clients have been affected by this breach.
The Equifax breach was discovered in July, but those potentially affected were notified only in mid-September 2017. As is so often the case, you can have the most fool-proof security operations around, but if some fool doesn't use two-factor authentication, you're a sitting duck.
Deloitte did not provide further information about when the breach happened or how many emails were accessed. But it "resulted in access to nonpublic information" that "may have provided the basis for illicit gain through trading".
Corporations, said Curry, also need a professional, modern incident response capability, a real strategy for segmentation and good hygiene, and to elevate the way security is managed and operated.