The firm, which is one of Britain's "Big Four" accountancy firms, is understood to have discovered the attack in March, but hackers could have had access to the group's confidential data since October or November past year, the Guardian said.
In addition to emails, the Guardian said the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information.
Deloitte, one of the world's largest private accountancy firms, manages clients such as a banks, publishers as well as government agencies and it is thought companies spanning the full range of Deloitte's clients could be at risk.
Deloitte's Rosslyn, Virginia offices have been used for the last six months to carry out an investigation using the codename Windham.
According to the report, Deloitte discovered the breach in March of this year.
"It also highlights the importance of ongoing monitoring and threat detection so that any malicious activity can be detected and responded to in a timely manner", he said.
Giants-Eagles, Week 3
The clock is rapidly ticking on the Giants to do so. 2007: They opened with losses in Dallas and at home against the Packers. That doesn't mean they won't keep trying, even when they're down by two touchdowns with two minutes to go in the game.
The team investigating the hack is understood to have been working out of the firm's offices in Rosslyn, Virginia, where analysts have been reviewing potentially compromised documents for six months. "In Deloitte's case, this included confidential client information".
It is not known which government departments have been affected by the attack, and it's not clear whether this was a state-sponsored hack.
This is especially embarrassing for a firm that prides itself on helping other companies thwart online cybersecurity attacks.
A Deloitte spokeswoman declined immediate comment, saying that the firm would issue a statement shortly.
Last week, several small businesses in the USA filed a class-action lawsuit against credit rating firm Equifax, representing millions of others affected by the breach of personal data, which included names, dates of birth, email addresses and telephone numbers. The US company said an investigation had revealed that a file containing United Kingdom consumer information "may potentially have been accessed".
The Equifax breach was discovered in July, but those potentially affected were notified only in mid-September 2017.