“Big four” accounting and consulting firm Deloitte revealed on Monday that it was targeted by a hack that exposed its email system and client records.

Although Deloitte has not yet provided details on the full extent of the breach, it confirmed that the information accessed includes confidential emails and plans of some of its blue-chip clients. It also said that “very few” clients were affected.

The Guardian reports that Deloitte discovered the hack in March this year, but the hackers may have had access to the system since October or November 2016.

The Guardian report states that the hacker accessed the firm’s global email server through an administrator’s account that required a single password and not a “two-step” verification process. The account potentially gave the hacker unrestricted access to emails, as well as usernames, passwords, IP addressed, architectural diagrams for business and health information.

Deloitte has been criticised for downplaying the breach with suggestions that the hack is more severe than the firm has stated.

The hack hurts Deloitte’s reputation as a cyber-security consulting business. If the Guardian report is true, Deloitte failed to deploy basic security measures, being a two-step authentication process.