Ernst & Young LLP (EY), a leading global professional services firm, has disclosed a data breach involving unauthorized access to a third-party IT service management platform used to support its client tax services. The breach, which occurred between March 28 and April 12, 2026, resulted in the download of documents containing sensitive client tax information.
EY detected unusual activity on April 23, 2026, prompting an immediate investigation. The firm determined that an unauthorized party had accessed the support ticket system, which often included attachments with personal and financial details related to clients’ tax filings. The specific number of affected individuals and the identity of the third-party provider have not been disclosed.
In response, EY has halted the unauthorized access, secured the affected systems, and engaged an independent cybersecurity firm to assist in the investigation. The company has also notified federal law enforcement and is offering affected individuals 24 months of complimentary credit monitoring and identity restoration services through Experian IdentityWorks, with enrollment required by October 31, 2026.
This incident is separate from previous security lapses at EY. In October 2025, a 4-terabyte SQL Server backup file was found publicly accessible on Microsoft Azure, exposing sensitive data. Additionally, in 2023, EY was affected by the MOVEit Transfer vulnerability, compromising data of over 30,000 individuals.
The recurrence of such breaches underscores the critical need for robust security measures, especially when handling sensitive client information. Organizations must ensure that third-party platforms adhere to stringent security protocols to prevent unauthorized access and data exposure.