Ernst & Young (EY), one of the world’s largest professional services firms, has notified clients of a data breach that exposed sensitive tax records. This incident, revealed in early June 2024, underscores the risks organisations face when sharing financial information with external advisors and highlights the growing threat of supply chain compromise in the professional services sector.
Details of the Ernst & Young Data Breach
The Ernst & Young data breach was publicly acknowledged in June 2024, following internal investigations and client notifications. EY confirmed that unauthorised parties had gained access to certain client tax records. While the full scope of the breach is still being assessed, initial disclosures indicate that highly sensitive tax data, potentially including personally identifiable information (PII) and confidential corporate records, was exposed.
The breach was discovered when EY’s security team identified suspicious activity involving data transfers from their tax advisory systems. Immediate efforts were made to contain the incident, including isolating affected systems and launching a forensic investigation to determine the intrusion vector and the breadth of compromised information.
- When: The breach was detected in early June 2024, with client notifications issued shortly after initial discovery.
- Who is affected: Current and former EY clients who shared tax-related documents and information with the firm are considered at risk. The exact number of affected individuals and organisations has not been made public.
- What was exposed: Sensitive tax records, including client names, financial details, and potentially other PII.
- Which systems: The breach appears to have focused on EY’s tax advisory platforms, but the investigation is ongoing.
- Current exploitation status: There is no confirmed evidence of leaked data appearing in the public domain, but EY has warned clients to remain vigilant for potential misuse.
How the Attack Occurred and Timeline of Events
While EY has not released full technical details, early indications suggest the breach may have involved compromised credentials or exploitation of weaknesses in remote access to tax advisory systems. This aligns with broader trends in cybercrime, where attackers increasingly target third-party firms holding valuable data on behalf of clients, particularly in sectors handling sensitive financial information.
The incident unfolded as follows:
- Late May 2024: EY’s security monitoring detected unusual activity in their tax data repositories.
- Early June 2024: An internal investigation confirmed unauthorised access and data exfiltration was possible.
- First week of June: EY began notifying affected clients, offering guidance on potential risks and protective measures.
- Ongoing: EY continues to work with external cybersecurity experts to analyse the breach, secure affected systems, and determine the full impact.
The company has not disclosed which client organisations or jurisdictions were impacted, although the breach’s focus on tax records suggests potential exposure of both corporate and individual data.
Impacted Parties and Supply Chain Risk
EY’s client base includes multinational corporations, government agencies, and high net-worth individuals, all of whom rely on the firm for tax advisory and compliance services. The breach highlights the inherent risks in sharing sensitive information with external consultants and underscores the importance of robust third-party risk management.
Specifically affected are:
- Organisations that have submitted corporate tax filings or financial statements to EY in recent years
- Individuals whose tax information was processed or stored by EY
- Any third parties indirectly referenced in the compromised documents
The breach increases the risk of targeted phishing attacks, identity theft, and financial fraud for those whose information was exposed. EY has urged affected clients to monitor for suspicious activity and to review their own vendor risk management processes.
Why This Data Breach Matters
This incident is significant not only due to the scale and sensitivity of the information involved, but also because it reflects the broader supply chain vulnerabilities facing organisations that entrust critical data to external advisors. The breach demonstrates that even firms with substantial security resources can be targeted, and that supply chain attacks remain a persistent threat vector.
For organisations, this event serves as a reminder of the need for:
- Continuous monitoring of third-party access to sensitive data
- Clear vendor assurance checks and security due diligence
- Incident response plans that include supply chain scenarios
Immediate Actions for Affected Organisations
In response to the Ernst & Young data breach, affected organisations should:
- Review communications from EY for specific guidance and breach details
- Monitor financial accounts and sensitive systems for signs of misuse
- Evaluate supply chain risk exposure and update vendor assurance processes as necessary
Further technical analysis and public updates from EY are expected as the investigation progresses. In the meantime, vigilance and proactive risk management are critical for organisations potentially impacted by this breach.
Originally reported by Unknown.




