Ernst & Young Discloses Data Breach After Third-Party Support System Compromise
Global professional services firm Ernst & Young (EY) has revealed a data breach stemming from the compromise of a third-party support ticket system, potentially exposing client tax information.

Ernst & Young (EY), one of the world's largest auditing and professional services providers, has informed its clients about a data breach that occurred due to a compromise of a third-party support ticket system utilized by its IT personnel. The breach notification indicates that attackers gained unauthorized access to this system, potentially exposing sensitive client data.
EY detected unusual activity on its networks on April 23, 2026, and promptly launched an investigation with the assistance of external cybersecurity experts. Their findings revealed that an unauthorized third party accessed the support ticket platform between March 28 and April 12, 2026, and managed to download multiple documents. The compromised information included personal and financial data that was part of or used in the preparation of client tax filings.
The exact nature and extent of the exposed data remain somewhat unclear, as the notification sample provided by EY contained a placeholder for specific data types. Furthermore, the company has not disclosed the total number of affected customers or whether the incident is confined to its U.S. operations or has a broader international impact. This lack of specific detail leaves many questions unanswered regarding the full scope of the compromise.
In response to the incident, EY has taken steps to secure its systems and has reported the breach to federal law enforcement authorities. The company stated that the unauthorized access has been eradicated and that they are not aware of any misuse or further exposure of the stolen files. EY also indicated that there is currently no indication that specific individuals were deliberately targeted by the threat actors behind the attack.
To help mitigate potential risks for those affected, EY is offering 24 months of complimentary identity monitoring and restoration services through Experian. Clients who receive notification are urged to enroll in this service by October 31, 2026. This proactive measure aims to provide a safety net for individuals whose data may have been compromised.
As of the time of reporting, no cybercriminal or ransomware group has publicly claimed responsibility for the attack on Ernst & Young. The company has not yet responded to further inquiries from BleepingComputer for additional details on the incident, leaving the full narrative of the attack and its perpetrators still unfolding.
This incident highlights the persistent risks associated with third-party vendor security. Even large, established organizations like EY are vulnerable when their supply chain partners experience security failures. The compromise of a support ticket system, often containing a wealth of client information, underscores the critical need for robust vendor risk management and continuous security monitoring across all digital touchpoints.
The new article provides further details on the EY data breach, specifying that the compromise occurred between March 28 and April 12, 2026, and was detected on April 23. It also highlights that the attackers downloaded documents containing sensitive client tax data from a third-party IT support platform. EY is offering 24 months of complimentary credit monitoring to affected individuals and has notified federal law enforcement.