Ernst & Young LLP (EY) has confirmed a data security incident in which an unauthorized third party breached a third-party IT service management platform used by its tax practice, exfiltrating documents containing client personal and financial information.
The Big Four firm filed formal breach notifications with the California Attorney General’s office on July 15, 2026, and began mailing individual notice letters to affected clients dated July 13, 2026.
EY relies on a third-party information technology service management platform to help its internal IT personnel support teams performing tax-related work for clients.
EY Data Breach
Support tickets submitted through this platform routinely carried attachments containing sensitive client tax documents, a common but risky practice in enterprise IT support workflows.
EY’s Information Security team first identified anomalous activity within the platform on April 23, 2026, and immediately activated incident response procedures to determine scope, contain the intrusion, and begin recovery.
Working with an independent cybersecurity firm, investigators later determined that the actual unauthorized access began weeks earlier, between March 28, 2026, and April 12, 2026, meaning attackers operated undetected inside the platform for roughly two weeks before EY discovered the breach on April 23.
That detection gap gave the threat actor a substantial window to browse and exfiltrate support-ticket documents belonging to numerous EY clients.
The compromised information includes personal details tied to individuals’ investment holdings with EY’s institutional clients, as well as financial information contained in, or used to prepare, tax filings.
Because the exact data elements vary by recipient, EY’s notification letters use placeholder fields for specific categories such as Social Security numbers, though the letters confirm both personal identifiers and tax-preparation financial data were involved.
Rhode Island’s disclosure indicates the incident affected a relatively contained population, with the state receiving notice of just seven residents affected, suggesting a broader but not indiscriminately large set of victims.
Upon discovery, EY secured its systems, launched a forensic investigation with third-party specialists, and notified federal law enforcement.
EY states that unauthorized access has been stopped, that affected systems are now secure, and that it has found no evidence of misuse or of any individual’s data being specifically targeted.
As a remediation measure, EY is offering affected individuals 24 months of complimentary Experian IdentityWorks credit and identity monitoring plus Identity Restoration services, with enrollment required by October 31, 2026. This is EY’s second major data exposure incident within roughly nine months.
In late October 2025, researchers at Neo Security discovered a 4TB SQL Server backup file left publicly accessible on Microsoft Azure Storage due to a cloud migration misconfiguration, though EY said the exposure was limited to an entity acquired by EY Italy and did not affect client or global systems.
The latest incident, by contrast, involves confirmed unauthorized third-party access and data downloading rather than a misconfiguration, and directly implicates client tax records across EY’s institutional customer base.
The incident underscores a persistent enterprise risk: support-ticketing systems that ingest client attachments for troubleshooting often become de facto repositories of sensitive data, without receiving the same security scrutiny as core financial systems.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

