Ernst & Young discloses a breach of a third-party IT support-ticket platform used by its tax practice, exposing client tax and financial documents
Ernst & Young LLP (EY), one of the "Big Four" audit/tax/consulting networks, filed data-breach notifications with the California and Vermont Attorneys General on 2026-07-15 after determining that an unauthorized third party had accessed a third-party IT service-management (ITSM) platform used by its tax practice (California OAG, 2026-07-15). EY detected anomalous activity on 2026-04-23 and an external forensics firm concluded that the intruder had access "between March 28 and April 12 and downloaded multiple documents" belonging to multiple tax clients — a roughly two-week access window, detected about eleven days after the intruder's access ended (BleepingComputer, 2026-07-17). The platform manages IT support tickets for tax-engagement work, and "support tickets submitted through the platform may include documents containing client tax information" — the financial information used to prepare tax filings (CyberInsider, 2026-07-17); the regulatory notice letter itself redacts the specific data elements involved. EY has not disclosed the initial-access vector, named the compromised third-party platform, stated how many individuals are affected, or said whether non-US clients are impacted; no extortion or ransomware group has claimed the intrusion, and EY is offering 24 months of identity monitoring to affected individuals (BleepingComputer, 2026-07-17).
an unauthorized third party had accessed the said platform between March 28 and April 12 and downloaded multiple documents
Support tickets submitted through the platform may include documents containing client tax information.
Sample of Notice: EY Notice Letter US General.pdf Organization Name: Ernst & Young LLP Date(s) of Breach (if known): Saturday, March 28, 2026 Thursday, April 23, 2026
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1199Trusted Relationship
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Collection TA0009
T1213Data from Information Repositories
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.