ctipilot.ch

Ernst & Young third-party ITSM breach

incident · incident:ey-third-party-itsm-breach-2026

Unauthorized access (2026-03-28 to 04-12, detected 2026-04-23) to a third-party IT service-management/support-ticket platform used by Ernst & Young LLP's tax practice; documents containing client tax/financial data were downloaded. Disclosed via California/Vermont AG breach notifications filed 2026-07-15; EY has not named the platform, the access vector, or the affected count (California OAG, BleepingComputer, CyberInsider, 2026-07-15/17).

Coverage timeline
1
first 2026-07-19 → last 2026-07-19
Peak priority
notable
1 notable
Sources cited
3
3 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1199Trusted Relationship×1

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.

Evidence: 2026-07-19/ernst-young-third-party-itsm-platform-breach-client-tax-data · ATT&CK page ↗

Collection TA0009

T1213Data from Information Repositories×1

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

Evidence: 2026-07-19/ernst-young-third-party-itsm-platform-breach-client-tax-data · ATT&CK page ↗

Story timeline

  1. 2026-07-19Ernst & Young discloses a breach of a third-party IT support-ticket platform used by its tax practice, exposing client tax and financial documents
    active-threatsEY discloses client tax-data exposure after a third-party ITSM support-ticket platform was breached

Where this entity is cited

  • active-threats1

Source distribution

  • bleepingcomputer.com1 (33%)
  • cyberinsider.com1 (33%)
  • oag.ca.gov1 (33%)

explore in graph

Entries about Ernst & Young third-party ITSM breach (1)

2026-07-19 · view entry permalink →

NOTABLENATOA2

Ernst & Young discloses a breach of a third-party IT support-ticket platform used by its tax practice, exposing client tax and financial documents

Ernst & Young LLP (EY), one of the "Big Four" audit/tax/consulting networks, filed data-breach notifications with the California and Vermont Attorneys General on 2026-07-15 after determining that an unauthorized third party had accessed a third-party IT service-management (ITSM) platform used by its tax practice (California OAG, 2026-07-15). EY detected anomalous activity on 2026-04-23 and an external forensics firm concluded that the intruder had access "between March 28 and April 12 and downloaded multiple documents" belonging to multiple tax clients — a roughly two-week access window, detected about eleven days after the intruder's access ended (BleepingComputer, 2026-07-17). The platform manages IT support tickets for tax-engagement work, and "support tickets submitted through the platform may include documents containing client tax information" — the financial information used to prepare tax filings (CyberInsider, 2026-07-17); the regulatory notice letter itself redacts the specific data elements involved. EY has not disclosed the initial-access vector, named the compromised third-party platform, stated how many individuals are affected, or said whether non-US clients are impacted; no extortion or ransomware group has claimed the intrusion, and EY is offering 24 months of identity monitoring to affected individuals (BleepingComputer, 2026-07-17).

an unauthorized third party had accessed the said platform between March 28 and April 12 and downloaded multiple documents

BleepingComputer 2026-07-17

Support tickets submitted through the platform may include documents containing client tax information.

CyberInsider 2026-07-17

Sample of Notice: EY Notice Letter US General.pdf Organization Name: Ernst & Young LLP Date(s) of Breach (if known): Saturday, March 28, 2026 Thursday, April 23, 2026

California Office of the Attorney General (breach-notification filing) 2026-07-15
incident19 Jul 04:25Zmulti-sourceOpen finding ↗