EY Data Breach Exposes Client Tax Documents Through Third-Party Support Platform


Ernst & Young LLP has disclosed a data breach in which an unauthorized third party accessed an external IT service management platform and downloaded documents connected to the firm’s tax-related client work.

The attacker accessed the platform between March 28 and April 12, 2026. EY detected unusual activity on April 23 and began investigating with help from an independent cybersecurity company.

EY reported the incident to the California Attorney General on July 15. The regulator’s Ernst & Young breach notification page identifies March 28 and April 23 as the relevant incident dates.

How the EY data breach happened

EY uses a third-party IT service management platform to help its technology personnel support employees working on tax matters for clients. Support tickets created in the platform sometimes included documents containing client tax information.

An unauthorized party gained access to the platform and downloaded documents relating to several EY clients. The firm has not explained how the attacker entered the environment or whether compromised credentials, a software vulnerability or another method enabled the intrusion.

The EY data breach notification letter says the firm discovered anomalous activity on April 23. Its investigation later determined that the unauthorized access had occurred between March 28 and April 12.

EventDate
Unauthorized access beganMarch 28, 2026
Confirmed access period endedApril 12, 2026
EY detected anomalous activityApril 23, 2026
Notification letters datedJuly 13, 2026
California filing publishedJuly 15, 2026

What information was exposed?

The downloaded files contained personal information associated with certain individuals and financial information contained in, or used to prepare, tax filings. The precise data elements differ from one affected person to another.

Separate state reporting indicates that information exposed for some recipients may include Social Security numbers, financial account codes and credit or debit account information. However, not every person necessarily had all these data categories exposed.

EY’s generic California notice contains a placeholder where each recipient’s specific data elements would appear. People who receive a notification should check that section carefully to determine which information applies to them.

  • Personal information identified during EY’s document review
  • Financial information associated with tax preparation
  • Social Security numbers for some affected individuals
  • Financial account codes for some individuals
  • Credit or debit account information for some recipients

How many people were affected?

EY has not publicly disclosed a nationwide total. The California Attorney General publishes sample notices when an organization notifies more than 500 California residents, indicating that the incident affected at least that reporting threshold in the state.

The regulator’s submitted breach notice record names Ernst & Young LLP as the reporting organization. It does not provide a total number of affected California residents.

Because the downloaded documents related to several EY clients, the incident may involve individuals who did not interact directly with the affected support platform. Their information may have appeared in documents attached to tickets by EY personnel.

EY says it found no evidence of data misuse

EY says it has no evidence that the exposed information has been misused or made public. The firm also says it has no reason to believe that the attacker deliberately targeted the individuals whose data appeared in the downloaded files.

A lack of confirmed misuse does not eliminate future risk. Tax and financial information can support convincing phishing messages, fraudulent account activity and attempts to open credit in another person’s name.

EY says it secured the affected environment, investigated the incident with external cybersecurity specialists and notified federal law enforcement. The company also continues to monitor for information connected to the breach.

Protection offered to affected individuals

EY is offering eligible recipients 24 months of complimentary Experian IdentityWorks services. The package includes credit monitoring and identity restoration support.

Enrollment requires the activation code included in the individual notification letter. Recipients should use the contact details and web address printed in the letter rather than following links in unexpected emails or text messages.

The sample EY notice also recommends reviewing account statements and credit reports for unfamiliar activity. People should report suspicious transactions directly to their bank or card provider.

What affected people should do now

Anyone who receives an EY breach letter should confirm which data elements were exposed and enroll in the monitoring service before the deadline stated in the notice.

If the exposed information includes a Social Security number, a credit freeze can provide stronger protection against criminals opening new accounts. The Federal Trade Commission’s credit freeze guidance explains that freezes are free and do not affect a person’s credit score.

  • Activate the free identity monitoring offered by EY.
  • Review bank and credit card statements regularly.
  • Check credit reports for accounts or inquiries you do not recognize.
  • Consider freezing credit files with Equifax, Experian and TransUnion.
  • Change reused passwords and enable multifactor authentication.
  • Treat unexpected tax, banking and EY-themed messages with caution.
  • Contact financial institutions through verified phone numbers if suspicious activity appears.

A credit freeze prevents lenders from accessing a credit file to approve most new accounts. It does not stop fraud involving an existing bank account or payment card, so affected people should continue monitoring those accounts.

The FTC’s fraud alert and credit freeze information also explains the differences between these protections. A fraud alert asks businesses to verify an applicant’s identity, while a freeze blocks access to the credit report until the consumer lifts it.

Third-party support systems remain a security risk

IT support platforms can store a broad range of sensitive attachments because employees use them to troubleshoot problems. A compromised account or platform can therefore expose documents from several departments and clients.

Organizations can reduce this risk by restricting sensitive attachments, automatically deleting old ticket data, limiting employee permissions and applying stronger authentication controls. They should also monitor bulk downloads and other unusual activity within support systems.

EY has not named the platform provider or disclosed whether the incident affected other customers of that service. No threat actor has publicly received attribution for the breach.

FAQ

What happened in the EY data breach?

An unauthorized third party accessed a third-party IT service management platform used by EY personnel and downloaded documents connected to tax-related client work.

When did attackers access EY’s support platform?

EY determined that the unauthorized party accessed the platform between March 28 and April 12, 2026. The firm detected anomalous activity on April 23.

What information was exposed in the EY breach?

The downloaded documents contained personal information and financial information used in, or associated with, tax filings. Some notices identify Social Security numbers, financial account codes and credit or debit account information, but the exposed data varies by recipient.

How many people did the EY data breach affect?

EY has not published a nationwide total. Its filing with the California Attorney General indicates that the notification reached more than 500 California residents, which triggers the state’s sample notice requirement.

Has EY found evidence that attackers misused the data?

EY says it has no evidence that the exposed information has been misused or disclosed publicly. The company continues to monitor for activity connected to the incident.

What protection is EY offering after the breach?

EY is offering eligible affected individuals 24 months of complimentary Experian IdentityWorks credit monitoring and identity restoration services.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages