EY Data Breach Exposes Client Tax Documents Through Third-Party Support Platform
Ernst & Young LLP has disclosed a data breach in which an unauthorized third party accessed an external IT service management platform and downloaded documents connected to the firm’s tax-related client work.
The attacker accessed the platform between March 28 and April 12, 2026. EY detected unusual activity on April 23 and began investigating with help from an independent cybersecurity company.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
EY reported the incident to the California Attorney General on July 15. The regulator’s Ernst & Young breach notification page identifies March 28 and April 23 as the relevant incident dates.
How the EY data breach happened
EY uses a third-party IT service management platform to help its technology personnel support employees working on tax matters for clients. Support tickets created in the platform sometimes included documents containing client tax information.
An unauthorized party gained access to the platform and downloaded documents relating to several EY clients. The firm has not explained how the attacker entered the environment or whether compromised credentials, a software vulnerability or another method enabled the intrusion.
The EY data breach notification letter says the firm discovered anomalous activity on April 23. Its investigation later determined that the unauthorized access had occurred between March 28 and April 12.
| Event | Date |
|---|---|
| Unauthorized access began | March 28, 2026 |
| Confirmed access period ended | April 12, 2026 |
| EY detected anomalous activity | April 23, 2026 |
| Notification letters dated | July 13, 2026 |
| California filing published | July 15, 2026 |
What information was exposed?
The downloaded files contained personal information associated with certain individuals and financial information contained in, or used to prepare, tax filings. The precise data elements differ from one affected person to another.
Separate state reporting indicates that information exposed for some recipients may include Social Security numbers, financial account codes and credit or debit account information. However, not every person necessarily had all these data categories exposed.
EY’s generic California notice contains a placeholder where each recipient’s specific data elements would appear. People who receive a notification should check that section carefully to determine which information applies to them.
- Personal information identified during EY’s document review
- Financial information associated with tax preparation
- Social Security numbers for some affected individuals
- Financial account codes for some individuals
- Credit or debit account information for some recipients
How many people were affected?
EY has not publicly disclosed a nationwide total. The California Attorney General publishes sample notices when an organization notifies more than 500 California residents, indicating that the incident affected at least that reporting threshold in the state.
The regulator’s submitted breach notice record names Ernst & Young LLP as the reporting organization. It does not provide a total number of affected California residents.
Because the downloaded documents related to several EY clients, the incident may involve individuals who did not interact directly with the affected support platform. Their information may have appeared in documents attached to tickets by EY personnel.
EY says it found no evidence of data misuse
EY says it has no evidence that the exposed information has been misused or made public. The firm also says it has no reason to believe that the attacker deliberately targeted the individuals whose data appeared in the downloaded files.
A lack of confirmed misuse does not eliminate future risk. Tax and financial information can support convincing phishing messages, fraudulent account activity and attempts to open credit in another person’s name.
EY says it secured the affected environment, investigated the incident with external cybersecurity specialists and notified federal law enforcement. The company also continues to monitor for information connected to the breach.
Protection offered to affected individuals
EY is offering eligible recipients 24 months of complimentary Experian IdentityWorks services. The package includes credit monitoring and identity restoration support.
Enrollment requires the activation code included in the individual notification letter. Recipients should use the contact details and web address printed in the letter rather than following links in unexpected emails or text messages.
The sample EY notice also recommends reviewing account statements and credit reports for unfamiliar activity. People should report suspicious transactions directly to their bank or card provider.
What affected people should do now
Anyone who receives an EY breach letter should confirm which data elements were exposed and enroll in the monitoring service before the deadline stated in the notice.
If the exposed information includes a Social Security number, a credit freeze can provide stronger protection against criminals opening new accounts. The Federal Trade Commission’s credit freeze guidance explains that freezes are free and do not affect a person’s credit score.
- Activate the free identity monitoring offered by EY.
- Review bank and credit card statements regularly.
- Check credit reports for accounts or inquiries you do not recognize.
- Consider freezing credit files with Equifax, Experian and TransUnion.
- Change reused passwords and enable multifactor authentication.
- Treat unexpected tax, banking and EY-themed messages with caution.
- Contact financial institutions through verified phone numbers if suspicious activity appears.
A credit freeze prevents lenders from accessing a credit file to approve most new accounts. It does not stop fraud involving an existing bank account or payment card, so affected people should continue monitoring those accounts.
The FTC’s fraud alert and credit freeze information also explains the differences between these protections. A fraud alert asks businesses to verify an applicant’s identity, while a freeze blocks access to the credit report until the consumer lifts it.
Third-party support systems remain a security risk
IT support platforms can store a broad range of sensitive attachments because employees use them to troubleshoot problems. A compromised account or platform can therefore expose documents from several departments and clients.
Organizations can reduce this risk by restricting sensitive attachments, automatically deleting old ticket data, limiting employee permissions and applying stronger authentication controls. They should also monitor bulk downloads and other unusual activity within support systems.
EY has not named the platform provider or disclosed whether the incident affected other customers of that service. No threat actor has publicly received attribution for the breach.
FAQ
An unauthorized third party accessed a third-party IT service management platform used by EY personnel and downloaded documents connected to tax-related client work.
EY determined that the unauthorized party accessed the platform between March 28 and April 12, 2026. The firm detected anomalous activity on April 23.
The downloaded documents contained personal information and financial information used in, or associated with, tax filings. Some notices identify Social Security numbers, financial account codes and credit or debit account information, but the exposed data varies by recipient.
EY has not published a nationwide total. Its filing with the California Attorney General indicates that the notification reached more than 500 California residents, which triggers the state’s sample notice requirement.
EY says it has no evidence that the exposed information has been misused or disclosed publicly. The company continues to monitor for activity connected to the incident.
EY is offering eligible affected individuals 24 months of complimentary Experian IdentityWorks credit monitoring and identity restoration services.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages