Skip to content
feed: live
>_ 0dayNews
threat intel
● Breaking

EY discloses breach via third-party IT ticket system

Ernst & Young says an unauthorized party accessed a third-party support ticket platform used by its IT staff between March 28 and April 12. Detection followed on April 23; disclosure landed July 17.

EY discloses breach via third-party IT ticket system
Photo: Froztbyte / Wikimedia Commons · CC BY-SA 4.0
airgap airgap · Published · 2 min read

Breaking. Confidence: high on what EY itself has confirmed. Vendor of the compromised support platform, threat actor, and count of affected individuals: unconfirmed — treat accordingly.

Ernst & Young disclosed a data breach today involving a third-party support ticket system used by its own IT personnel. Access was unauthorized. Documents were downloaded. That much EY says on the record.

The rest of the picture is thinner than a Big Four disclosure usually reads.

Timeline, per EY’s own notification.

  • March 28 – April 12, 2026. Window of unauthorized access. Sixteen days.
  • April 23, 2026. EY detected “anomalous network activity” and opened an investigation. Eleven days after the access window closed.
  • July 17, 2026. Public disclosure. Roughly three months after detection.

The gap between access and detection is the first thing to note. The gap between detection and disclosure is the second.

What was in the tickets. EY’s notification describes the exposed data as “certain personal and financial data contained in or used to prepare tax filings.” That is not a categorical breakdown — it is a placeholder phrase that covers a lot of ground. EY has not published a per-field list, has not disclosed the number of affected individuals, and has not named the support platform.

Third-party support-ticket surfaces sit in the same class of exposure the industry has been re-learning all year: an internal-facing SaaS holding sanitized copies of the messiest customer data, treated as low-risk because it isn’t “the production system,” accessed by IT staff with elevated context. It’s the same shape that produced the KDDI breach in May — 12 million email addresses out of a third-party zero-day the ISP still hasn’t named — and the ShinyHunters Salesforce path Microsoft mapped last week, where none of the OAuth abuse targeted a Salesforce bug. Different SaaS. Same pattern.

Attribution. None claimed. No extortion group has posted EY on a leak site at time of publication. No ransomware brand. EY says it has “no indication that particular individuals were targeted by the threat actors” — a phrase that generally reads as “opportunistic access, then bulk download” rather than a named-target intrusion, though EY has not published telemetry to support the read.

EY’s response. Systems secured, federal law enforcement notified, 24 months of Experian identity monitoring and restoration services offered to affected individuals. Enrollment deadline is October 31, 2026. Standard playbook.

What we do not know, listed plainly.

  • Which support-ticket platform.
  • How many people.
  • What countries — EY files US tax work but is a global partnership.
  • How the intruder got in (credential compromise, session token, vendor-side flaw, unpatched CVE).
  • Whether any tickets contained upstream client tax data covered by client-confidentiality obligations distinct from EY’s own personnel data.
  • Whether disclosure was triggered by a statutory clock or by breach counsel’s own timing.

Any writeup that fills those blanks in without a source is guessing. This one won’t.

Practical read for anyone running a similar surface. If your IT team uses a SaaS support-ticket platform, the tickets your engineers open against production incidents are your production data with a fresh coat of ambiguity. Data-classification and retention policy has to reach those platforms, not just the systems they describe. That’s the honest lesson from the March–April window here, and it’s the same lesson KDDI’s providers, Snowflake’s customers, and Salesforce’s OAuth-exposed tenants have each learned in turn over the last eighteen months.

Updates as EY names the platform, if it ever does.

Found this useful? Share it.