
Ernst & Young (EY) is notifying affected individuals that personal and financial information was exposed after attackers breached a third-party IT service management platform used by the firm's tax practice.
The professional services giant says the incident resulted in unauthorized access to documents belonging to multiple tax clients, though it has not found evidence that the stolen information has been misused.
According to notification letters dated July 13, 2026, EY detected anomalous activity involving the platform on April 23, 2026, prompting its Information Security team to launch an investigation and engage an independent cybersecurity firm to determine the scope of the compromise and contain the incident. The company also notified federal law enforcement and says the unauthorized access has been stopped and the affected systems secured.
EY, formally Ernst & Young LLP, is one of the “Big Four” accounting and professional services firms, providing audit, tax, consulting, strategy, and transaction advisory services to organizations worldwide. The firm's tax practice handles sensitive financial and personal information for individuals and businesses.
The company says it relies on a third-party information technology service management platform to support IT personnel working on tax-related client engagements. Support tickets submitted through the platform may include documents containing client tax information. Based on the investigation, an unauthorized third party accessed the platform between March 28, 2026, and April 12, 2026, and downloaded documents relating to a number of EY clients before the activity was discovered weeks later.
While the notification uses placeholder text for the specific categories of affected data, it states that the exposed information includes affected individuals' personal information as well as certain financial information contained in or used to prepare tax filings. The exact data elements vary by recipient and would be listed individually in each notification letter. EY says it currently has no indication that the personal information has been specifically targeted or that it has been misused, but is notifying affected individuals out of an abundance of caution.
As part of its response, EY says it secured its systems, initiated an internal investigation, retained external cybersecurity specialists, and continues to monitor for additional information related to the incident. The firm is also offering affected individuals 24 months of complimentary Experian IdentityWorks credit monitoring and identity restoration services. Eligible recipients must enroll by October 31, 2026, using the activation code included in their notification letter.
The notification also advises individuals to remain vigilant by reviewing financial accounts for suspicious activity, changing passwords and security questions if fraud is suspected, and considering additional protections such as fraud alerts or security freezes with the major credit bureaus.
The notice does not identify the threat actor responsible for the breach, disclose how the third-party platform was compromised, or specify how many individuals were affected. It also does not name the third-party service provider involved.







Leave a Reply