SYS::ONLINE
Wasteland.
Briefs1226
Issues19
SinceFeb 2026
LIVE
▣ Breach EY-THIRD-PARTY 2026-07-17

Ernst & Young: Third-Party Platform Breach Exposes Client Tax Data

"Ernst & Young (EY), one of the "Big Four" accounting and professional services firms, is notifying affected individuals that personal and financial tax information was exposed after attackers breached a third-party IT…"

Ernst & Young (EY), one of the "Big Four" accounting and professional services firms, is notifying affected individuals that personal and financial tax information was exposed after attackers breached a third-party IT service management platform used by the firm's tax practice. According to notification letters dated July 13, 2026, an unauthorized third party accessed the platform between March 28 and April 12, 2026, downloading documents belonging to multiple tax clients before the activity was detected weeks later.

What Happened

EY relies on an external IT service management (ITSM) platform to support IT personnel working on tax-related client engagements. Support tickets submitted through that platform routinely include attached documents containing sensitive client tax information. Attackers gained unauthorized access to this platform and exfiltrated documents relating to a number of EY clients.

The intrusion window ran from March 28, 2026, to April 12, 2026. EY did not detect the anomalous activity until April 23, 2026, roughly two weeks after the attacker's access ended. Upon detection, the firm's Information Security team launched an investigation, engaged an independent cybersecurity firm to determine the scope and contain the incident, and notified federal law enforcement. EY says the unauthorized access has since been stopped and the affected systems secured.

What Was Taken

The stolen documents contain affected individuals' personal information along with certain financial information contained in or used to prepare tax filings. Because tax documents were the payload, the exposed data is highly sensitive, potentially including Social Security numbers, income figures, financial account details, and other elements typically found in tax preparation records. The exact data elements vary by recipient and are listed individually in each notification letter.

EY has not disclosed a total count of affected individuals, describing the impact as documents "relating to a number of EY clients." The firm states it currently has no indication that the information has been specifically targeted or misused, and says it is notifying individuals out of an abundance of caution.

Why It Matters

This incident is a textbook example of third-party and supply-chain risk translating directly into client data loss. EY's own core systems were not the entry point. The weakness was a support tooling platform where sensitive documents accumulate as ticket attachments, a category of data that is easy to overlook in security reviews focused on primary business applications.

The sensitivity of the exposed data is what elevates this breach. Tax records are a near-complete identity theft toolkit: they combine government identifiers, financial account data, and income history in a single document. That makes affected individuals prime targets for fraudulent tax filing, financial account takeover, and highly convincing spear-phishing. The two-week detection gap between the attacker's last access and discovery also underscores how long exfiltration can go unnoticed when monitoring is weaker on supporting platforms than on crown-jewel systems.

The Attack Technique

EY has not publicly disclosed the initial access vector or named the compromised ITSM vendor. What is known is that an unauthorized third party achieved access to the platform and downloaded documents over roughly a two-week window, indicating the attacker had sufficient privileges to browse and exfiltrate ticket attachments containing client files.

The pattern is consistent with common ITSM compromise routes: credential theft or reuse, exploitation of a vulnerable platform component, or abuse of an over-privileged integration or service account. The delayed detection suggests the exfiltration did not trigger volume-based or anomaly alerts at the time it occurred, pointing to gaps in data loss monitoring around the support platform.

What Organizations Should Do

Sources: EY says client tax data exposed in third-party IT software breach

TWEET: EY breached via a third-party IT support platform. Attackers downloaded client tax documents (personal + financial data) over a 2-week window before detection. Full breakdown: https://wasteland.me/intel/ey-third-party-tax-data-breach #CyberSecurity #ThreatIntel