Consulting cyber incident reported

A hacker said it got into Bain & Company’s internal Pyxis artificial intelligence tool by using login details left in public web code. (aidirectory.com) The group, CodeWall, said Pyxis is used by part of Bain’s private equity team to review companies during due diligence, the pre-deal check on a target business. CodeWall said it viewed nearly 10,000 chatbot conversations after getting in. (aidirectory.com) Bain said it investigated immediately, hired outside cyber specialists, fixed the issue quickly and added extra protections. The firm also said it disputed CodeWall’s description of the platform and the scale of the exposure. (aidirectory.com) Pyxis is a Bain consumer-intelligence business built around transaction data, which is the record of what shoppers buy and where they buy it. Bain said when it bought Pyxis in December 2019 that the unit would strengthen due-diligence and investment analysis work. (bain.com) On its website, Pyxis says it processes hundreds of billions of transactions and uses artificial intelligence and machine learning to turn that data into market-share and pricing insights. That means a breach of an internal tool can expose not just emails and files, but also the questions consultants ask and the data products behind the answers. (pyxisbybain.com) The Bain incident followed a separate March 2026 disclosure involving McKinsey’s internal generative artificial intelligence platform, Lilli. CodeWall said its agent gained read and write access there in under two hours, while McKinsey said it fixed the issues within hours and found no evidence that client confidential information had been accessed by the researcher or any other unauthorized third party. (theregister.com) McKinsey has described Lilli as a firmwide platform rolled out in July 2023, with 72 percent of the firm active on it and more than 500,000 prompts a month. The company said colleagues reported as much as 30 percent time savings in searching and synthesizing knowledge. (mckinsey.com) Consulting firms have spent the past two years building internal artificial intelligence systems so staff can search proprietary research, draft materials and work with sensitive client information inside company-controlled tools. The Bain and McKinsey episodes both centered on those internal systems rather than on public chatbots. (mckinsey.com) (aidirectory.com) The immediate question for Bain is what, if anything, investigators conclude was actually exposed through Pyxis. The broader issue for large consultancies is whether fast-built internal artificial intelligence products are being secured with the same rigor as older corporate systems. (aidirectory.com)