Professional Services Giant Ernst & Young (EY) Hacked | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


Ernst & Young has begun notifying clients of a data breach after an attacker compromised a third-party support platform and downloaded documents containing personal and financial information used in preparing tax returns.

The incident affected an external IT service-management system used by EY employees supporting the firm’s client tax services. Support tickets created through the platform could include document attachments, creating a route through which confidential tax records and related financial information were exposed.

EY detected suspicious activity involving the platform on April 23, 2026, and launched an investigation with assistance from an independent cybersecurity firm. The investigation determined that an unauthorised third party had accessed the system between March 28 and April 12 and downloaded documents belonging to multiple clients.

The professional-services giant has not identified the compromised technology provider, disclosed how the attacker gained access or said whether stolen credentials, a software vulnerability or another intrusion method was involved.

The company has also not publicly revealed the total number of people affected. However, EY submitted a sample notification letter to the California Attorney General on July 15. California requires organisations to provide the attorney general with a sample notice when a breach notification is sent to more than 500 state residents, indicating that the incident affected at least hundreds of people in California alone. The filing should not be interpreted as the total scale of the breach, as EY may also be notifying people in other US states or countries. California’s breach-notification database lists March 28 and April 23 as the incident’s principal dates.


Stolen documents contained tax-related information

According to EY’s notification, the compromised support tickets could contain documents with personal and financial information included in, or used to prepare, client tax filings.

The public sample letter uses placeholders where the data categories specific to each recipient would ordinarily appear. Consequently, it does not establish that every affected person lost the same information or confirm whether Social Security numbers, bank account details, taxpayer identification numbers or other sensitive identifiers were exposed across the entire affected group.

Tax documentation can contain a particularly valuable combination of identity and financial information. Depending on the type of filing and supporting documents involved, records may include names, addresses, dates of birth, income information, employer details, investment activity, banking information, dependent information and government-issued identifiers.

Even when a stolen document does not contain enough information to commit fraud immediately, its contents can make subsequent attacks more convincing. Criminals could use details about an individual’s employer, income, tax adviser or financial arrangements to construct personalised phishing emails, impersonate a trusted organisation or attempt to defeat identity-verification questions.

The incident also illustrates why support systems can become unexpectedly valuable targets. Ticketing platforms are primarily designed to track problems, assign work and record communications, but employees frequently attach screenshots, log files, configuration data, spreadsheets and business documents to help resolve a request. Over time, the system may accumulate sensitive information extending well beyond basic support records.

In EY’s case, the ability to attach documents associated with tax work appears to have turned the support platform into a repository containing client financial data.

Attack remained undetected for more than a week

The currently disclosed timeline indicates that the intruder maintained access for approximately 16 days, from March 28 through April 12. EY did not detect the anomalous activity until April 23, 11 days after the known access period ended.

It remains unclear whether the attacker voluntarily stopped accessing the platform, lost access because of an unrelated change or remained present elsewhere after April 12. EY has not released technical indicators, described the number of accounts involved or said whether the attacker attempted to move from the third-party platform into EY’s internal environment.

The company said it worked with an independent cybersecurity firm to investigate the incident, secure affected systems and confirm that unauthorised access had ended. EY also notified federal law-enforcement authorities.

EY said it had found no evidence that the stolen information had been misused or exposed elsewhere and no indication that particular individuals had been deliberately targeted. That assurance is helpful but does not eliminate the longer-term risk attached to the files.

Stolen personal information can remain useful for years, particularly when it includes relatively permanent identifiers such as a name, date of birth or Social Security number. Threat actors may also retain stolen documents privately, trade them between criminal groups or use them selectively without publishing the material on a leak site.

As of July 17, no known ransomware or data-extortion operation had publicly claimed responsibility for the incident. EY has not characterised the intrusion as ransomware and has not reported encryption, operational disruption or an extortion demand.

Article content

Third-party provider remains unidentified

EY’s decision not to name the affected support provider leaves several important questions unanswered, including whether the incident was limited to a tenant used by EY or formed part of a broader compromise affecting other customers of the same platform.

There is also no public information on whether the attacker exploited a vulnerability in the provider’s software, compromised an EY employee account, obtained a vendor administrator’s credentials or abused an application integration.

The distinction is significant. A compromise isolated to one EY account would present a different level of supply-chain risk from an intrusion into the provider’s underlying infrastructure. If the attacker obtained administrator-level access at the vendor, other organisations using the service could potentially face similar exposure.

Third-party business applications have become attractive targets because a single provider may store information belonging to many large organisations. Cloud-based support, file-transfer, payroll, customer-management and human-resources platforms are particularly useful to attackers because they centralise sensitive records and often connect to customers’ internal systems.

An organisation can therefore maintain strong controls around its principal network and still suffer a breach when confidential data is copied into a vendor-operated system. Security obligations do not end when information leaves the organisation’s own infrastructure; companies must also understand where service providers store data, who can access it, how long attachments are retained and what monitoring exists to detect abnormal downloads.

The EY incident suggests that organisations should treat ticket attachments as governed records rather than temporary troubleshooting material. Practical controls can include restricting the file types and information that users may upload, automatically identifying sensitive data, encrypting attachments, enforcing short retention periods and requiring stronger authentication for support personnel.

Download-volume monitoring is also important. A support user opening several documents while investigating a case may be normal, while one account retrieving hundreds of unrelated attachments could indicate theft. Effective controls must distinguish between those patterns quickly enough to interrupt an intrusion before large volumes of data leave the service.

EY offers two years of identity protection

EY is providing affected individuals with 24 months of identity-monitoring and restoration services through Experian. Recipients must enrol by October 31, 2026, according to the notification.

The protection may help detect some attempts to open credit accounts using stolen information, but credit monitoring alone does not prevent every form of tax, banking or identity fraud. Affected individuals should independently confirm that an enrolment message is genuine by using the contact information in EY’s official letter rather than following links in unexpected emails.

The notification itself may create an opportunity for follow-on phishing. Attackers commonly exploit public breach disclosures by impersonating the affected company, its monitoring provider, a bank or a government agency. A fraudulent message could claim that a recipient must “verify” their identity, review an exposed tax document or confirm eligibility for compensation.

People whose Social Security number or taxpayer information was exposed may also consider obtaining an Internal Revenue Service Identity Protection PIN. An IP PIN is a six-digit number that prevents someone from filing a federal tax return using the taxpayer’s Social Security number or Individual Taxpayer Identification Number without the additional code. The IRS says anyone who can verify their identity may enrol and warns that it will never call, email or text someone asking for their IP PIN. The IRS provides enrolment instructions and additional safeguards on its official website.

Other precautions include reviewing credit reports, monitoring bank and investment accounts, enabling multifactor authentication and watching for unexpected correspondence concerning tax returns, refunds or newly opened accounts. A credit freeze may provide stronger protection against new-account fraud than monitoring alone because it restricts access to the person’s credit file.

Breach affects one of the world’s largest professional-services networks

EY is one of the “Big Four” accounting and professional-services organisations, alongside Deloitte, KPMG and PwC. Its operations span more than 150 countries and include assurance, tax, consulting, and strategy and transaction services.

The organisation reported combined global revenue of $53.2 billion for the financial year ending June 2025, representing growth of 4% in local currency. Its tax business generated $12.7 billion during that period, while its global workforce grew to more than 406,000 people. EY’s published financial results demonstrate the scale of the network and the volume of potentially sensitive client information handled across its services.

This is not EY’s first exposure to a breach involving third-party technology. The firm was among numerous organisations affected by the widespread exploitation of Progress Software’s MOVEit Transfer product in 2023. That campaign compromised data held by service providers and demonstrated how a flaw in one commonly used enterprise platform could spread across a large international customer base.

The newly disclosed incident appears separate from the MOVEit attacks. There is currently no evidence connecting it to that campaign or suggesting that the same threat actor was involved.

EY’s latest notification leaves several central facts unresolved, including the identity of the support provider, the intrusion’s initial access method, the complete list of exposed data types and the total number and geographic distribution of affected clients.

Until those details are released, the full scale of the incident remains uncertain. What is clear is that an attacker obtained access to a system containing client tax documents, remained able to retrieve files for more than two weeks and was not detected until after the known access period had ended.

Article content

Article content



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW