McKinsey’s AI system hacked, exposing millions of internal messages

TL;DR:

  • Cybersecurity firm CodeWall breached McKinsey’s internal AI platform Lilli within two hours using its own AI agent, accessing 46.5 million chat messages and 57,000 user accounts.
  • The hack exposed system prompts, AI model configurations and 728,000 sensitive file names, though McKinsey says files themselves were stored separately and never at risk.
  • The incident underscores how rapidly AI tools are expanding enterprise attack surfaces — a warning for any UK business deploying internal AI platforms at scale.

McKinsey has patched security flaws in its internal AI platform after a cybersecurity researcher demonstrated they could gain full read and write access to the system’s production database in under two hours.

The breach

CodeWall, a one-person cybersecurity firm run by founder Paul Price, used its own AI agent to probe Lilli — the AI tool used by McKinsey’s 40,000 staff for strategy planning, data analysis and client presentations. The agent autonomously identified McKinsey as a target based on its published responsible disclosure guidelines.

Within two hours, CodeWall reported accessing 46.5 million chat messages, 57,000 user accounts, 384,000 AI assistants and 94,000 workspaces. The firm also said it had obtained a list of 728,000 sensitive file names, including spreadsheets and presentations, along with Lilli’s system prompts and AI model configurations — what CodeWall described as “the firm’s intellectual crown jewels.”

McKinsey was alerted in late February and says it patched the vulnerabilities and took its development environment offline within hours. The consultancy stated that a third-party forensics investigation “identified no evidence that client data or client confidential information were accessed.”

Why it matters

The breach is particularly awkward for McKinsey given its positioning as an AI advisory leader. The firm claimed last year that AI and related technology consulting accounted for 40% of its revenue, and its chief executive has said the company has built 25,000 AI agents to support its workforce.

CodeWall’s warning carries broader implications: “AI agents autonomously selecting and attacking targets will become the new normal.” For UK enterprises rolling out internal AI platforms, the incident highlights how these tools create new attack surfaces that conventional security audits may not cover — particularly around system prompts, model configurations and the vast data stores that AI tools accumulate.

Looking forward

McKinsey says its “cyber security systems are robust” and protecting client data remains its highest priority. But the speed of the breach — and the fact it was carried out by a single researcher with an AI agent — raises questions about whether enterprise AI security practices are keeping pace with deployment. UK businesses building similar internal AI tools should treat this as a prompt to audit their own AI infrastructure for equivalent vulnerabilities.