Global consulting and accounting giant Ernst & Young (EY) has reported a data breach resulting from the compromise of a third-party IT service management platform. The breach, which occurred between late March and mid-April 2026, allowed an unauthorized third party to access and download sensitive client documents. These documents, which were attached to IT support tickets related to tax services, contained personal and financial information. This incident is a classic example of a supply chain attack, where a trusted vendor becomes the weak link in a security chain.
The attack targeted an external Information Technology Service Management (ITSM) platform used by EY's IT staff to manage and resolve support requests for its tax practice. Clients and EY personnel would submit tickets, sometimes attaching documents with sensitive data needed for tax preparation. An investigation revealed that an attacker gained access to this platform and exfiltrated documents associated with an undisclosed number of EY clients.
This was a supply chain attack that exploited the trust relationship between EY and its third-party service provider. The technical details of how the third-party platform itself was compromised are not public, but the attack on EY's data followed this pattern:
T1199 - Trusted Relationship.T1530 - Data from Cloud Storage Object.T1041 - Exfiltration Over C2 Channel or direct download through the compromised web application.The breach exposes sensitive personal and financial information of EY's tax clients, putting them at risk of fraud and identity theft. For EY, the incident causes significant reputational damage and undermines client trust. It also highlights a critical challenge for large organizations: securing data that is handled by a sprawling network of third-party vendors and cloud services. The financial impact will include the costs of the investigation, client notifications, potential credit monitoring services for affected individuals, and potential regulatory fines.
No specific Indicators of Compromise (IOCs) were mentioned in the source articles.
To detect similar supply chain breaches, organizations should focus on monitoring third-party service access:
EY's security team detected the breach by identifying "anomalous activity." This highlights the importance of behavioral analysis.
Enforcing MFA on all third-party service accounts would make it significantly harder for attackers to abuse stolen credentials.
Regularly auditing logs from third-party platforms for anomalous behavior, such as bulk downloads or unusual login patterns, can lead to earlier detection.
While applied to the third party, this represents the need for robust vendor security assessments to ensure they are managing their own vulnerabilities.
An unauthorized third party first gains access to the IT service management platform.
The period of unauthorized access ends.
EY's information security team identifies anomalous activity and initiates an incident response.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.