Ernst & Young Data Breach Exposes Social Security Numberes

Published
July 18, 2026
Updated
July 18, 2026
Ernst & Young Data Breach Exposes Social Security Numberes
EY
Affected by the data breach? You may be entitled to compensation. Submit a claim today.

Ernst & Young LLP, one of the "Big Four", disclosed a data breach that occurred in the spring of 2026.

The breach was reported to the California Attorney General and the Massachusetts Office of Consumer Affairs and Business Regulation on July 15, 2026, to the Vermont Attorney General on July 16, 2026, and to the Texas Attorney General on July 17, 2026.

According to state filings, the breach affected 873 Texas residents, 480 Massachusetts residents and 13 Vermont residents. EY identified unusual activity on March 23, 2026, according to the company's notification, and began notifying affected individuals through letters dated July 13, 2026, sent via U.S. Mail and email.

According to the company's notification letters, EY uses a third-party information technology service management platform to help its IT personnel provide support to teams performing tax-related work for clients. Support tickets submitted through the platform may include documents containing personal information. Because EY performs tax-related work for financial institutions, those documents could contain sensitive data about the institutions' customers.

Upon detecting the issue, EY's Information Security team began investigating to determine the nature and scope of the unauthorized access. Based on the investigation and available evidence, between March 28, 2026, and April 12, 2026, an unauthorized third party accessed the platform and downloaded documents pertaining to a number of EY clients. As disclosed in regulatory filings, the breach period extended through April 23, 2026.

The individuals affected by the breach are people whose personal information was held by financial institutions that use EY for professional tax services. These individuals may not have had a direct relationship with EY. Their personal data was provided to EY by the financial institutions in connection with investment-related tax work, as stated in the notification.

The personal information exposed in the breach included names, addresses, dates of birth, Social Security numbers, driver's license numbers, email addresses and phone numbers. Financial data was also compromised, including credit or debit card numbers, financial account codes and financial account information related to tax filings.

Ernst & Young's response

According to the company's notification, EY took steps to secure its systems and engaged third-party specialists to determine the full nature and scope of the incident. The company also notified federal law enforcement. EY stated that it continues to monitor for information that was exposed as a result of the breach.

In some notification letters, EY stated that it "does not believe that the incident will increase the risk of identity theft or fraud" for those individuals but was notifying them "out of an abundance of caution." Other notification letters did not include this language.

Given the sensitivity of the data involved, EY is offering affected individuals complimentary 24-month memberships to Experian IdentityWorks, a credit and identity monitoring service.

Affected individuals can activate the service through the enrollment link and personal activation code included in their notification letter. The deadline to enroll is 11:59 p.m. UTC on Oct. 31, 2026. The membership also includes identity theft insurance, underwritten by American Bankers Insurance Company of Florida, an Assurant company, as noted in the notification.

EY is also providing access to Experian's Identity Restoration service, which can help resolve cases of fraudulent identity theft. According to the notification letters, this service can assist with contacting credit grantors to dispute charges and close accounts, placing a freeze on credit files and working with government agencies to help restore an individual's identity. This service does not require enrollment and is available to all affected individuals.

EY has set up a dedicated phone line for questions at 833-391-7884, available Monday through Friday from 8 a.m. to 8 p.m. CST, excluding major U.S. holidays. Individuals may also reach the company by email at Privacy.Notification@ey.com.

SUBMIT YOUR CLAIM TO THE LAW FIRM HANDLING THIS INVESTIGATION

Types of INFORMATION affected
  • Names
    Names
  • Social security numbers
    Social Security Numbers
  • Dates of birth
    Dates of Birth
  • Addresses
    Addresses
  • Government IDs
    Government IDs
  • Medical Information
    Medical Info
  • Financial Info
    Financial Info
  • Affected information types not yet disclosed

Notice Letter

This browser does not support inline PDFs. Please download the PDF to view it: Download PDF

Affected Entity
EY
Consumers Notification date
Date of Breach
March 28, 2026 - April 23, 2026
Breach Discovered Date
Total People Affected
Information Types Exposed
  • Credit and Debit Account Info
  • Financial Account Codes
  • Name of individual
  • Address
  • Social Security Number Information
  • Financial Information (e.g. account number)
  • No information types mentioned
  • Social Security Numbers
  • [DATA
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image
CTA Image