Ernst and Young data breach exposes client tax documents through IT support platform

A third-party IT service management platform used by EY was breached for two weeks in spring 2026, leading to the theft of documents containing sensitive client tax data.

CSBadmin
2 Min Read

Ernst & Young LLP is notifying clients that a third-party IT service management platform used by the Big Four firm’s support staff was breached earlier this year, resulting in the theft of documents containing sensitive client tax information. According to breach notifications filed with the California Attorney General’s office on July 15, an unauthorized third party accessed the platform between March 28 and April 12 before the intrusion was detected on April 23.

The compromised platform is a support ticket system that EY’s information technology personnel use to assist internal teams handling tax-related work. Support tickets routinely included attachments with sensitive client tax data, a common practice in enterprise IT support workflows that creates a concentrated target for attackers.

EY stated that the stolen documents contained personal information related to individuals’ investment holdings with the firm’s institutional clients, along with financial data used in preparing tax filings. The company said it has found no evidence that the exposed information has been misused or that specific individuals were deliberately targeted.

This incident follows a pattern of security challenges for the firm. In October 2025, researchers discovered a 4 TB SQL Server backup tied to EY’s Italian entity publicly accessible on Azure storage. EY also previously suffered a breach in 2023 linked to the mass-exploited MOVEit Transfer vulnerability that affected over 30,000 individuals.

The breach underscores the risk inherent in IT service management and helpdesk platforms, where support tickets aggregate sensitive attachments from many clients within a single third-party environment. For firms processing tax data for financial institutions globally, a single compromised support system can cascade into exposure affecting numerous downstream clients and amplifying both regulatory scrutiny and reputational damage.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.