{"id":473103,"date":"2026-03-13T08:49:11","date_gmt":"2026-03-13T08:49:11","guid":{"rendered":"https:\/\/www.newsbeep.com\/uk\/473103\/"},"modified":"2026-03-13T08:49:11","modified_gmt":"2026-03-13T08:49:11","slug":"mckinsey-rushes-to-fix-ai-system-after-hacker-exposes-flaws","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/uk\/473103\/","title":{"rendered":"McKinsey rushes to fix AI system after hacker exposes flaws"},"content":{"rendered":"<p>Unlock the Editor\u2019s Digest for free<\/p>\n<p class=\"article__content-sign-up-topic-description o3-type-body-base\">Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.<\/p>\n<p>McKinsey has rushed to fix flaws in an in-house AI system after hackers gained access to millions of its internal messages and were able to identify sensitive files.<\/p>\n<p>CodeWall, a cyber security firm, said this week that it had hacked Lilli, McKinsey\u2019s AI platform used by its 40,000 staff, and found millions of files and communications within two hours.<\/p>\n<p>It said it had gained access to 46.5mn chat messages on the system, which is used by <a href=\"https:\/\/www.ft.com\/stream\/f2e2ce17-d69b-439c-9e73-40618ceb2c0b\" title=\"\" data-trackable=\"link\" rel=\"nofollow noopener\" target=\"_blank\">McKinsey<\/a> staff to plan strategy, analyse data and create project plans and presentations for clients. <\/p>\n<p>The hack underscores the risks that come with the rapid adoption of <a href=\"https:\/\/www.ft.com\/artificial-intelligence\" title=\"\" data-trackable=\"link\" rel=\"nofollow noopener\" target=\"_blank\">AI<\/a> and is potentially embarrassing for McKinsey at a time when it is pitching for work advising blue-chip companies on how to use the technology. The consultancy has touted its AI tools as evidence that it is at the forefront of adopting the technology.\u00a0<\/p>\n<p>CodeWall, which aims to find cyber security flaws in companies\u2019 systems so they can fix them, said it had used its own AI agent to carry out the hack. \u201cWithin 2 hours, the agent had full read and write access to the entire production database,\u201d CodeWall said on its website. <\/p>\n<p>It also claimed to have accessed a list of 728,000 \u201csensitive\u201d file names, including Excel spreadsheets, PowerPoint decks and Word documents. A person close to McKinsey said that the files themselves were stored separately and were \u201cnever at risk\u201d.<\/p>\n<p>CodeWall, whose founder Paul Price said he was the group\u2019s only employee, says it focuses on companies such as McKinsey that have published guidelines on how ethical hackers should probe their systems for cyber security flaws. <\/p>\n<p>In this case, the AI agent automatically stopped attempting to access files and reported the security issues once they were discovered, CodeWall said. <\/p>\n<p>The cyber security firm said it had gained access to 57,000 user accounts, 384,000 AI assistants and 94,000 workspaces, which it called \u201cthe full organisational structure of how the firm uses AI internally\u201d and the \u201cfirm\u2019s intellectual crown jewels\u201d. <\/p>\n<p>Lilli\u2019s system prompts and AI model configurations were also laid bare during the hack, CodeWall said, \u201crevealing exactly how the AI was instructed to behave [and] what guardrails existed\u201d. <\/p>\n<p>McKinsey\u2019s security team was alerted to CodeWall\u2019s findings at the end of February, according to the person close to the consultancy. McKinsey patched the holes identified and took offline its development environment, an online area for testing code, within hours, the person added. <\/p>\n<p>CodeWall said its AI agent had itself suggested McKinsey as a target. \u201cIn the AI era, the threat landscape is shifting drastically \u2014 AI agents autonomously selecting and attacking targets will become the new normal,\u201d the company said.\u00a0<\/p>\n<p>McKinsey said it was \u201crecently alerted to a vulnerability related to our internal AI tool, Lilli, by a security researcher. We promptly confirmed the vulnerability and fixed the issue within hours\u201d. <\/p>\n<p>It added: \u201cOur investigation, supported by a leading third-party forensics firm, identified no evidence that client data or client confidential information were accessed by this researcher or any other unauthorized third party.<\/p>\n<p>\u201cMcKinsey\u2019s cyber security systems are robust, and we have no higher priority than the protection of client data and information that we have been entrusted with.\u201d <\/p>\n<p>McKinsey claimed last year that consulting on AI and related technology accounted for 40 per cent of its revenue, and this year its chief executive said it has built 25,000 AI \u201cagents\u201d to support its 40,000-strong workforce.<\/p>\n","protected":false},"excerpt":{"rendered":"Unlock the Editor\u2019s Digest for free Roula Khalaf, Editor of the FT, selects her favourite stories in this&hellip;\n","protected":false},"author":2,"featured_media":473104,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[554,733,4308,86,56,54,55],"class_list":{"0":"post-473103","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-technology","12":"tag-uk","13":"tag-united-kingdom","14":"tag-unitedkingdom"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts\/473103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/comments?post=473103"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/posts\/473103\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/media\/473104"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/media?parent=473103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/categories?post=473103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/uk\/wp-json\/wp\/v2\/tags?post=473103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}