EY Data Breach: Attackers Access IT Support, Download Documents
Key Takeaways Ernst & Young (EY) disclosed a data breach affecting a third-party IT support platform. Unauthorized access occurred between March 28, 2026, and April 12, 2026, leading to the...
Key Takeaways
- Ernst & Young (EY) disclosed a data breach affecting a third-party IT support platform.
- Unauthorized access occurred between March 28, 2026, and April 12, 2026, leading to the download of client tax documents.
- The compromised data includes personal investment holdings and financial information used for tax preparation.
- This incident is distinct from previous EY security disclosures, highlighting persistent challenges in third-party vendor security.
EY Discloses Client Tax Data Breach Via IT Support Platform
Ernst & Young LLP (EY), one of the “Big Four” accounting and consulting firms, has begun notifying clients about a security incident involving a third-party support ticket system. An unauthorized actor gained access to this platform, subsequently downloading documents that contained sensitive client tax information over a period of approximately two weeks this spring.
Table Of Content
Details of the breach were officially filed with the California Attorney General’s office on July 15, 2026, confirming the scope and nature of the compromise.
Incident Details and Timeline
According to EY’s notification letter, dated July 13, 2026, the firm utilizes an external IT service management platform. This system is designed to facilitate support for internal teams engaged in client-related tax work. Critically, support tickets submitted through this platform frequently included attachments containing confidential client tax information—a common, yet high-risk, practice within enterprise IT support operations.
EY’s internal security teams first detected unusual activity within the platform on April 23, 2026, promptly initiating their incident response protocols. A subsequent investigation, conducted with the assistance of an independent cybersecurity firm, revealed that the unauthorized access had actually commenced much earlier, specifically between March 28, 2026, and April 12, 2026. During this window, the attacker managed to download various documents related to numerous EY clients before the intrusion was identified.
The nearly three-week gap between the initial compromise and its detection provided a significant opportunity for the attackers to exfiltrate data without immediate intervention.
Impacted Data and Previous Incidents
The documents accessed by the unauthorized party contained personal information linked to individuals’ investment portfolios with EY’s institutional clients. Additionally, financial details essential for preparing tax filings were also exposed. EY’s letter said that, at present, there is no evidence suggesting the misuse of the exposed data or that specific individuals were deliberately targeted.
This latest incident is separate from other recent security lapses experienced by EY. In October 2025, a 4TB SQL Server backup associated with EY’s Italian entity was found publicly accessible on Azure storage by security researchers. Furthermore, EY was impacted in 2023 by the widespread exploitation of the MOVEit Transfer vulnerability, which affected over 30,000 individuals.
The Growing Threat to IT Service Platforms
Cyber adversaries are increasingly focusing their attacks on IT service management and helpdesk platforms. These systems are attractive targets because support tickets often consolidate sensitive attachments from numerous clients into a single environment, which may sometimes lack adequate security measures. For a global firm like EY, which handles tax data for financial institutions worldwide, a compromised support system can lead to a cascading exposure affecting a multitude of downstream clients and their end customers, thereby escalating both regulatory scrutiny and reputational damage.
What You Should Do
- Review Third-Party Vendor Security: Organizations should conduct thorough security assessments of all third-party IT service providers, paying close attention to data handling practices and incident response capabilities.
- Implement Data Minimization: Limit the amount of sensitive data attached to support tickets. Explore secure alternatives for sharing confidential information.
- Enhance Monitoring: Implement robust monitoring and logging on all IT service management platforms to detect anomalous activity promptly.
- Strengthen Access Controls: Ensure stringent access controls, multi-factor authentication (MFA), and regular access reviews for all users of IT support systems, especially those with access to sensitive client data.
- Educate Staff: Train IT support staff on secure data handling practices and the risks associated with attaching sensitive information to support tickets.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.