Ernst & Young reveals data breach after cyberattack after a third-party support ticketing system used by the company's IT staff was compromised. According to the company, support tickets may have contained documents with sensitive personal data and tax-related customer information.
According to EY, support cases submitted via the platform may have contained documents with sensitive customer information, including tax-related information.
EY is one of the world's four largest audit and consulting firms and offers audit, tax, advisory and transaction services to organizations in over 150 countries. The company has around 406,000 employees and reported global sales of $53.2 billion during the last fiscal year.
In the message to affected clients, EY states that the company discovered suspicious activity on its networks on April 23 and immediately launched an internal investigation.
With the support of external cybersecurity experts, EY that an unauthorized actor had access to the relevant support system between March 28 and April 12. During this period, a number of documents were downloaded from the platform.
The exposed information includes: according to EY, certain personal and financial data that was included in, or used to prepare, tax returns. However, the company has not specified exactly which data types were affected, making the scope of the exposed information unclear.
EY has also not stated how many clients have been affected or whether the incident only affects the US operations or also clients in other countries.
According to the company, the systems have now been secured and the unauthorized access has been stopped. The incident has also been reported to federal law enforcement agencies in the United States.
EY further states that there are currently no indications that the stolen information has been misused or disseminated. The company also says it sees no signs that individuals were specifically targeted for the attack.
As a precautionary measure, EY is offering affected clients 24 months of identity monitoring and recovery services through Experian. Clients who have been notified of the incident are encouraged to register by October 31, 2026.
At the time of publication, no ransomware or data extortion group has claimed responsibility for the attack on Ernst & Young.
The incident shows how even global companies like Ernst & Young can be affected when third-party providers are compromised. At the same time, the incident highlights the importance of protecting support platforms and sensitive customer data against increasingly sophisticated cyber threats.








