Ernst & Young discloses data breach after intruders steal client tax records from a third-party support platform
Ernst & Young is notifying clients after intruders broke into an external IT support platform and downloaded documents containing tax-filing and financial data, including Social Security numbers.
- Victim
- Ernst & Young
On 15 July 2026, Ernst & Young โ one of the Big Four accounting, audit and tax-advisory firms โ began notifying clients that an unauthorized third party had broken into an external support-ticket platform used by its IT personnel and downloaded documents containing sensitive client data. The compromise did not touch EY's core network directly; instead, attackers reached the firm's data through a third-party software platform that its technology teams relied on to manage support requests.
According to breach notifications filed with the California and Vermont Attorneys General, the intruder accessed the platform between 28 March and 12 April 2026 and exfiltrated documents pertaining to a number of EY clients. EY says it detected anomalous activity on 23 April 2026 and immediately launched an investigation with the help of outside cybersecurity experts, which confirmed both the access window and that documents had been downloaded.
What was exposed
The compromised documents contained personal and financial information contained in, or used to prepare, tax filings. The separate filing with the Vermont Attorney General's office indicated that the exposure may have included Social Security numbers, financial account codes, and credit or debit account information, as well as data tied to individuals' investment holdings with EY's institutional clients. EY said it had no current evidence of misuse of the exposed data, nor any indication that specific individuals had been deliberately targeted.
To mitigate the risk, the firm is offering affected clients 24 months of identity-monitoring and restoration services through Experian, urging recipients to enrol by 31 October 2026.
A third-party breach with Big Four reach
The incident is notable less for its technical sophistication than for its blast radius: EY sits at the centre of the financial and tax affairs of large institutional clients, so a breach of the documents it holds carries downstream exposure for those clients' customers and investors. As of the initial disclosures, no ransomware or data-extortion group had claimed responsibility for the attack, and EY had not published a figure for the total number of individuals affected. With the intrusion contained, the access window closed, and remediation and client notification under way, the incident's status was best characterised as contained โ though the full scope of downstream impact remained under assessment, and at least one class-action law firm had already signalled potential litigation.
Timeline
An unauthorized third party begins accessing the external IT support-ticket platform used by EY's technology staff.
The unauthorized access ends; the intruder had downloaded documents relating to a number of EY clients.
EY detects anomalous activity on its networks and launches an investigation with outside cybersecurity experts.
EY files data-breach notifications with the California and Vermont Attorneys General and begins notifying affected clients, offering 24 months of Experian identity monitoring.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/ernst-and-young-discloses-data-breach-after-support-system-hack/
- securityaffairs.comhttps://securityaffairs.com/195550/data-breach/ernst-young-ey-investigates-data-breach-involving-third-party-support-tickets.html
- cybernews.comhttps://cybernews.com/security/ey-data-breach-tax-documents/
- cybersecuritynews.comhttps://cybersecuritynews.com/ey-data-breach/
- classaction.orghttps://www.classaction.org/data-breach-lawsuits/ernst-and-young-july-2026