Skip to content
Data breachContained

Ernst & Young discloses data breach after intruders steal client tax records from a third-party support platform

Ernst & Young is notifying clients after intruders broke into an external IT support platform and downloaded documents containing tax-filing and financial data, including Social Security numbers.

Victim
Ernst & Young

On 15 July 2026, Ernst & Young โ€” one of the Big Four accounting, audit and tax-advisory firms โ€” began notifying clients that an unauthorized third party had broken into an external support-ticket platform used by its IT personnel and downloaded documents containing sensitive client data. The compromise did not touch EY's core network directly; instead, attackers reached the firm's data through a third-party software platform that its technology teams relied on to manage support requests.

According to breach notifications filed with the California and Vermont Attorneys General, the intruder accessed the platform between 28 March and 12 April 2026 and exfiltrated documents pertaining to a number of EY clients. EY says it detected anomalous activity on 23 April 2026 and immediately launched an investigation with the help of outside cybersecurity experts, which confirmed both the access window and that documents had been downloaded.

What was exposed

The compromised documents contained personal and financial information contained in, or used to prepare, tax filings. The separate filing with the Vermont Attorney General's office indicated that the exposure may have included Social Security numbers, financial account codes, and credit or debit account information, as well as data tied to individuals' investment holdings with EY's institutional clients. EY said it had no current evidence of misuse of the exposed data, nor any indication that specific individuals had been deliberately targeted.

To mitigate the risk, the firm is offering affected clients 24 months of identity-monitoring and restoration services through Experian, urging recipients to enrol by 31 October 2026.

A third-party breach with Big Four reach

The incident is notable less for its technical sophistication than for its blast radius: EY sits at the centre of the financial and tax affairs of large institutional clients, so a breach of the documents it holds carries downstream exposure for those clients' customers and investors. As of the initial disclosures, no ransomware or data-extortion group had claimed responsibility for the attack, and EY had not published a figure for the total number of individuals affected. With the intrusion contained, the access window closed, and remediation and client notification under way, the incident's status was best characterised as contained โ€” though the full scope of downstream impact remained under assessment, and at least one class-action law firm had already signalled potential litigation.

Timeline

  1. An unauthorized third party begins accessing the external IT support-ticket platform used by EY's technology staff.

  2. The unauthorized access ends; the intruder had downloaded documents relating to a number of EY clients.

  3. EY detects anomalous activity on its networks and launches an investigation with outside cybersecurity experts.

  4. EY files data-breach notifications with the California and Vermont Attorneys General and begins notifying affected clients, offering 24 months of Experian identity monitoring.

Sources

  1. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/ernst-and-young-discloses-data-breach-after-support-system-hack/
  2. securityaffairs.comhttps://securityaffairs.com/195550/data-breach/ernst-young-ey-investigates-data-breach-involving-third-party-support-tickets.html
  3. cybernews.comhttps://cybernews.com/security/ey-data-breach-tax-documents/
  4. cybersecuritynews.comhttps://cybersecuritynews.com/ey-data-breach/
  5. classaction.orghttps://www.classaction.org/data-breach-lawsuits/ernst-and-young-july-2026

Related incidents

Data breachResolved

Hot Topic data breach (2024)

In October 2024, retailer Hot Topic suffered a data breach that exposed 57 million unique email addresses. The impacted data also included physical addresses, phone numbers, purchases, genders, dates of birth and partial credit data containing card type, expiry and last 4 digits.

Victim
Hot Topic
Records
56.9M