Ernst & Young says an unauthorized third party accessed a support-ticket platform between March 28 and April 12 and downloaded multiple documents, a breach the company detected on April 23 and subsequently disclosed to affected clients.
Timeline of the intrusion and discovery
According to the notification EY sent to clients, the company "detected anomalous activity on its networks on April 23 and initiated an investigation." That investigation, performed with help from external cybersecurity experts, concluded the support-ticket platform used by EY IT personnel had been accessed by an unauthorized actor from March 28 through April 12, during which multiple documents were downloaded.
EY says it "secured its systems and notified federal law enforcement authorities," and that the unauthorized access has been removed. At the time of publication, no actor had claimed responsibility and known extortion or ransomware groups had not attributed the attack to themselves.
What the company says was exposed — and what remains unclear
Ernst & Young warns that support tickets "submitted through the platform may have included documents containing client tax information." The notification further states the affected information included "certain personal and financial data contained in or used to prepare tax filings." However, the copy of the notification cited by the reporting outlet uses a placeholder for specific data types, and the company has not supplied greater granularity.
EY also has not disclosed how many customers were affected, nor whether the impact is limited to the U.S. or extends to its global client base. The notification sample and EY's public comments stop short of enumerating records exposed, listing affected jurisdictions, or identifying particular clients.
EY's response: containment, law enforcement, and monitoring for clients
In its outreach to clients, EY states it secured the affected systems, removed the unauthorized access, and notified federal law enforcement authorities. The company additionally says it is "not aware of any misuse or further exposure of the stolen files and has no indication that particular individuals were targeted by the threat actors."
To mitigate potential fallout, EY is offering affected clients "24 months of identity monitoring and restoration service through Experian" and is urging letter recipients to enroll by October 31, 2026. The company has not yet provided public figures for the number of letters sent, the geographic scope of notifications, or a breakdown of what Experian services will cover for enrolled clients.
What this means for EY clients, regulators, and security teams
- Clients: Organizations and individuals receiving notices should review the specific enrollment instructions for the Experian identity monitoring and restoration service and decide whether to opt in before the October 31, 2026 deadline. Recipients should also inventory whether support-ticket submissions historically contained tax documents or other sensitive files.
- Regulators and law enforcement: EY has notified federal law enforcement authorities; regulators reviewing breach disclosures will likely seek granular details on affected data types, customer counts, and cross-border impacts given the firm's global footprint in more than 150 countries.
- Security teams: The incident centers on a third-party support-ticket platform used by EY IT staff. Security practitioners will note the pathway — a support system for IT personnel — and may reassess how internal ticketing processes handle sensitive attachments and what monitoring exists for third-party platforms.
Attribution, public response, and immediate follow-ups
As of the reporting, no extortion or ransomware group has claimed responsibility for the breach. BleepingComputer contacted EY for additional details but "we have not yet received a response at the time of publication." The company has reported no evidence of targeted attacks against particular individuals and says it is not aware of misuse or further exposure of the downloaded files.
Ernst & Young is among the world’s four largest auditing and professional services firms, employing 406,000 people and reporting global revenue of $53.2 billion last year, with services in auditing, tax, consulting, and transaction advisory in more than 150 countries. That scale magnifies the operational and disclosure questions raised by a compromise of a platform used by its own IT personnel.
The company has signaled containment and client remediation, but has left open several operational and scope details: the precise types of tax-related data exposed, the count and location of affected clients, and whether investigators have identified the threat actor. How those open items are resolved will shape regulatory follow-up, client risk assessments, and any future public disclosures.
Source: BleepingComputer — Ernst & Young discloses data breach after support system hack




