McKinsey & Company Vendor Cyber Rating & Cyber Score

mckinsey.com
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

McKinsey & Company is a global management consulting firm. We are the trusted advisor to the world's leading businesses, governments, and institutions. We work with leading organizations across the private, public and social sectors. Our scale, scope, and knowledge allow us to address problems that no one else can. We have deep functional and industry expertise as well as breadth of geographical reach. We are passionate about taking on immense challenges that matter to our clients and, often, to the world. We work with our clients as we do with our colleagues. We build their capabilities and leadership skills at every level and every opportunity. We do this to help build internal support, get to real issues, and reach practical recommendations. We bring out the capabilities of clients to fully participate in the process and lead the ongoing work.

McKinsey & Company A.I CyberSecurity Scoring

MC

Company Details

Linkedin ID:

mckinsey

Website:

http://www.mckinsey.com

Employees number:

38,633

Number of followers:

6,920,938

NAICS:

5416

Industry Type:

Business Consulting and Services

Homepage:

mckinsey.com

IP Addresses:

Scan still pending

Company ID:

MCK_2563487

Scan Status:

In-progress

AI scoreMC Risk Score (AI oriented)

Between 800 and 849

https://images.rankiteo.com/companyimages/mckinsey.jpeg
MC Business Consulting and Services
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
Get a Score Increase
globalscoreMC Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/mckinsey.jpeg
MC Business Consulting and Services
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

McKinsey & Company

Good
Current Score
815
A (Good)
01000
1 incidents
-11.0 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

APRIL 2026
815
MARCH 2026
826
Cyber Attack
09 Mar 2026 • McKinsey: AI agent hacked McKinsey chatbot for read-write access
AI Agent Exploits McKinsey’s Internal Chatbot in Under Two Hours

**AI Agent Exploits McKinsey’s Internal Chatbot in Under Two Hours** Researchers at security startup CodeWall demonstrated how an autonomous AI agent hacked McKinsey’s internal generative AI platform, *Lilli*, gaining full read-and-write access to its production database within two hours. The attack, conducted in late February, exposed 46.5 million chat messages, 728,000 confidential client files, 57,000 user accounts, and 95 writable system prompts all in plaintext. The agent exploited an unauthenticated SQL injection vulnerability in Lilli’s API, which was publicly exposed through 22 unsecured endpoints. By manipulating JSON keys in user search queries, the AI bypassed standard security tools, eventually extracting live production data. The flaw also allowed attackers to rewrite Lilli’s system prompts, potentially poisoning responses for McKinsey’s 40,000+ users without requiring code changes just a single HTTP request. McKinsey patched the vulnerabilities within hours of disclosure on March 1, taking the development environment offline and securing API documentation. A company spokesperson confirmed no evidence of unauthorized client data access, though the incident underscores the growing threat of AI-driven cyberattacks. CodeWall’s CEO noted that the attack was fully autonomous, from target selection to exploitation, signaling a shift toward machine-speed intrusions by malicious actors. The firm’s findings highlight the risks of AI systems interacting with insecure databases and the potential for large-scale data manipulation.

815
critical -11
MCK1773109656
Incident Details -
Type
AI-driven cyberattack
Attack Vector
Unauthenticated SQL injection via API
Vulnerability Exploited
Unauthenticated SQL injection in Lilli’s API, publicly exposed endpoints
Motivation
Demonstration of AI-driven exploitation risks
Impact
Data Compromised: 46.5 million chat messages, 728,000 confidential client files, 57,000 user accounts, 95 writable system prompts Systems Affected: McKinsey’s internal generative AI platform (*Lilli*) Operational Impact: Potential poisoning of AI responses for 40,000+ users Brand Reputation Impact: Undermined trust in AI security
Response
Containment Measures: Took development environment offline, secured API documentation Remediation Measures: Patched SQL injection vulnerability Communication Strategy: Company spokesperson confirmed no unauthorized client data access
Data Breach
Chat messages Confidential client files User accounts System prompts Number Of Records Exposed: 46.5 million chat messages, 728,000 files, 57,000 accounts, 95 prompts Sensitivity Of Data: High (confidential client files, plaintext data) Data Encryption: No (plaintext)
Lessons Learned
Risks of AI systems interacting with insecure databases, potential for large-scale data manipulation via AI-driven attacks
Recommendations
Secure API endpoints, implement authentication for database access, monitor AI system interactions for anomalies
Investigation Status
['Resolved']
Initial Access Broker
Entry Point: Unauthenticated SQL injection in Lilli’s API
Post Incident Analysis
Root Causes: Unauthenticated SQL injection vulnerability, publicly exposed API endpoints, insecure database interactions Corrective Actions: Patched vulnerability, secured API documentation, took development environment offline
References
Blog URL Source URL
FEBRUARY 2026
826
JANUARY 2026
826
DECEMBER 2025
826
NOVEMBER 2025
826
OCTOBER 2025
826
SEPTEMBER 2025
826
AUGUST 2025
826
JULY 2025
826
JUNE 2025
826
MAY 2025
826

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for McKinsey & Company is 815, which corresponds to a Good rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2026 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2026 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2026 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2025 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 826.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 826.

Over the past 12 months, the average per-incident point impact on McKinsey & Company’s A.I Rankiteo Cyber Score has been -11.0 points.

You can access McKinsey & Company’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/mckinsey.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view McKinsey & Company’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/mckinsey.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.