Ernst & Young Tells Clients Their Tax Data Was Taken From a Support Ticket System

The Big Four firm says an outside party pulled documents from a third-party helpdesk platform between late March and mid-April. Affected clients get 24 months of identity monitoring through Experian.

ThreatVectr Newsdesk· 3 min read
A modern glass office tower at dusk with warm interior lights on upper floors, reflecting a muted city skyline
Share

Key points

  • Ernst & Young detected suspicious activity on its network on April 23 and traced the intrusion to a third-party support ticket platform used by its IT staff.
  • The unauthorised party accessed the system between March 28 and April 12 and downloaded multiple documents, some containing client tax information.
  • EY is offering affected clients 24 months of identity monitoring and restoration through Experian, with an enrolment deadline of October 31, 2026.
  • The firm has not said how many clients were affected or which countries are involved.
  • No ransomware or extortion group has claimed responsibility.

Ernst & Young, one of the four largest auditing and advisory firms in the world, is writing to clients to tell them that some of their tax paperwork was taken by an outside party. The firm employs about 406,000 people and reported global revenue of $53.2 billion last year.

The breach did not hit EY's own core systems. It hit a third-party support ticket platform: a helpdesk tool where IT staff track and resolve requests. Support tickets on that platform sometimes had documents attached, and some of those documents contained client tax data.

According to the notification sample first reported by BleepingComputer, EY spotted "anomalous activity" on its network on April 23 and brought in outside cybersecurity specialists. The investigation concluded that an unauthorised party had access to the helpdesk platform between March 28 and April 12, and downloaded files during that window.

What was actually taken?

Certain personal and financial information used to prepare tax filings. The notification letter uses a placeholder where the specific data categories should appear, so the exact fields, names, addresses, tax identification numbers, income figures, are not spelled out in the sample. EY has also not disclosed how many clients received letters, or whether the incident is limited to United States clients.

The firm says it has secured its systems, removed the unauthorised access, and notified federal law enforcement. It adds that it has no evidence the stolen files have been misused, published, or that specific individuals were targeted.

Affected clients are being offered 24 months of identity monitoring and restoration services through Experian. Recipients need to enrol by October 31, 2026.

What should affected clients actually do?

Enrol in the Experian monitoring before the deadline, and treat any unexpected tax correspondence with suspicion. Tax data is useful to criminals for two practical reasons: filing fraudulent tax returns in someone else's name to collect a refund, and building convincing scam emails or phone calls that reference real numbers from a real filing.

If you get a call or email claiming to be from a tax authority or from EY asking you to "verify" details, hang up or delete it, then contact the organisation directly using a number you already trust. Watch bank and credit card statements. Consider a credit freeze if you are in a country that offers one.

No extortion or ransomware crew has posted EY data or claimed the attack. That does not mean the files will stay quiet forever. Stolen data often surfaces months later, sometimes bundled into other leaks, sometimes sold quietly.

The incident is a reminder of a boring but important point: third-party tools sit inside the security perimeter of the companies that use them. A helpdesk platform that stores attachments is, in practice, a filing cabinet full of customer records. When that cabinet gets picked, the client whose data was inside pays the price, not the vendor.

EY has not publicly identified the support ticket vendor, and has not answered questions about the number of clients affected or the geographic scope.

© 2026 Threat Vectr