EY Discloses Data Breach Stemming from Third-Party Support System Compromise
Global professional services giant **Ernst & Young (EY)** has begun notifying clients of a data breach. The incident, which occurred between March 28 and April 12, involved unauthorized access to a third-party support ticket system used by EY's IT personnel, potentially exposing sensitive client tax information.
One of the worldβs 'Big Four' auditing and professional services providers, **EY**, is grappling with a data breach that exposed client information. The compromise originated from a third-party support ticket system utilized by the firm's IT department.
According to **EY**, support tickets submitted through this platform may have contained documents holding client tax details.
**EY**, which employs 406,000 people globally and reported a staggering $53.2 billion in revenue last year, initiated an investigation after detecting anomalous activity on its networks on April 23.
Working with external cybersecurity experts, **EY** determined that an unauthorized party gained access to the platform and downloaded multiple documents between March 28 and April 12.
The exposed information included personal and financial data typically used in or for the preparation of tax filings. While a sample notification letter indicates placeholders for specific data types, the precise nature of the exposed information remains undisclosed.
**EY** has not yet specified the number of affected customers or whether the breach extends beyond its U.S. client base to other international operations.
In response to the incident, **EY** has secured its systems, removed the unauthorized access, and notified federal law enforcement authorities. The company states it is unaware of any misuse or further exposure of the stolen files and has no indication that specific individuals were targeted.
To mitigate potential risks, **EY** is offering affected clients 24 months of identity monitoring and restoration services through **Experian**. Clients are urged to enroll by October 31, 2026.
As of now, no known data extortion or ransomware groups have claimed responsibility for the attack on **EY**.