Ernst & Young Discloses Client Tax Data Breach After Third-Party Support System Hack

Ernst & Young began notifying clients on July 17 that a third-party IT support ticket system was compromised between March 28 and April 12, exposing tax filing documents; the Big Four firm is offering 24 months of Experian identity monitoring.

Ernst & Young Discloses Client Tax Data Breach After Third-Party Support System Hack

Ernst & Young began notifying clients on July 17 that attackers compromised a third-party IT support ticket system used by its personnel, downloading documents that in some cases contained client tax information. The disclosure makes EY the latest Big Four accountancy to report a supply-chain style breach targeting its internal tooling.

Anomalous Activity Detected April 23

According to the notification letter reviewed by BleepingComputer, EY detected anomalous activity on its networks on April 23 and, working with external cybersecurity experts, determined that an unauthorized third party had accessed the ticketing platform between March 28 and April 12 and downloaded multiple documents. EY says it has since secured its systems, notified federal law enforcement and confirmed that unauthorized access has been removed.

What Was Exposed

The company describes the affected data as "certain personal and financial data contained in or used to prepare tax filings." Because the sample notification filed with the California Attorney General uses placeholders for the specific data types, the exact fields exposed remain unclear. EY has not disclosed how many customers were affected, nor whether the incident extends beyond its United States client base. Third-party reporting suggests exposed fields may include Social Security numbers, financial account codes and payment card information tied to tax work.

Cybersecurity operations center illustrating enterprise breach response

Remediation And Monitoring Offer

EY says it is not aware of any misuse of the stolen files or evidence that individuals were specifically targeted. The firm is offering affected clients 24 months of identity monitoring and restoration service through Experian, and is urging letter recipients to enroll by October 31, 2026. As of July 17, no data-extortion or ransomware crew had claimed responsibility for the intrusion.

Why It Matters

Ernst & Young employs 406,000 people across more than 150 countries and reported US$53.2 billion in global revenue for fiscal 2025, giving its ticket queues a rich concentration of Fortune 500 tax and audit documentation. The incident lands in a week already dominated by WordPress's force-patched wp2shell RCE, Microsoft's 570-CVE Patch Tuesday and SonicWall SMA 1000 zero-days, underscoring that third-party SaaS suppliers remain the softest edge of any enterprise perimeter.

Reporting based on coverage from BleepingComputer, SC Media and the EY notification filed with the California Office of the Attorney General.

Category: Cyber Security

Tags: Cybersecurity Data Breach Ernst & Young

Related Articles