The accounting firm stated they have reviewed the hack after going through a "comprehensive security protocol", and had also contacted the authorities and the clients affected immediately.
The Guardian - which first broke the story - says that the attack was focused on the U.S. side of Deloitte's operations, and data belonging to banks, multinationals, media enterprises, pharmaceutical firms and government agencies was included in the breach.
One of the largest private firms in the United States, which reported a record $37bn revenue a year ago, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.
The report also said the attackers may have accessed the systems since October or November 2016.
It's understood six of Deloitte's clients have been informed that their information was involved, with the company undertaking an internal review. The breach seems to have been focused on US-based companies.
News of the hack comes two weeks after credit reporting firm Equifax acknowledged a breach that may have impacted up to 143 million Americans, an incident that has put the spotlight on cyber threats to major private sector entities.
According to a statement from the company, hackers accessed data from an email platform.
While information is scant and Deloitte has yet to confirm specific details of what happened, experts said that the compromise of a global email server should be a wake-up call for corporations to, at a minimum, have two-step authentication in place for privileged accounts.
"Deloitte remains deeply committed to ensuring that its cyber security defences are best in class, investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security".
Our review enabled us to determine what the hacker did and what information was at risk as a result.
"It works with some of the biggest organisations on earth, at the very highest level, which is like a red rag to a bull for hackers", he said. Stored on Microsoft's Azure cloud service, this was not protected with two-factor authentication.