Skip to main content
Jump to a category page

Ernst & Young LLP, one of the “Big Four” global professional services and accounting firms, has disclosed a data breach exposing Social Security numbers, financial account codes, and credit and debit account information. The company filed notice with the California Attorney General on July 15, 2026, and with the Vermont Attorney General on July 16, 2026, for the same underlying incident.

According to the Vermont filing, the breach window ran from March 28, 2026 to April 23, 2026. An unconfirmed number of individuals were affected; California’s filing corroborates the same incident window but does not disclose a population figure, consistent with state policy.

Why the Scale Here Likely Goes Far Beyond What’s Confirmed

Thirteen confirmed Vermont residents is a fragment, not a full picture. EY is a global firm with hundreds of thousands of employees and a massive client base across every US state, the true number of people affected by this breach, once other states report, is almost certainly far larger than what’s been confirmed so far.

The gap between the breach window (ending April 23, 2026) and the first public notices (mid-July 2026) is roughly two-and-a-half to three-and-a-half months. EY has not publicly explained the reason for that gap.

What Information Was Exposed?

Based on the Vermont Attorney General filing, the compromised information includes:

  • Social Security Numbers
  • Financial Account Codes
  • Credit and Debit Account Information

What Is EY Offering Affected Individuals?

Ernst & Young is offering complimentary 24-month access to two products offered by Experian: IdentityWorks, a credit and identity monitoring service, and Identity Restoration.

Your Information Is at Risk

Social Security numbers combined with financial account codes and credit/debit account information is one of the most directly usable combinations for financial fraud, it doesn’t just enable opening new accounts, it can enable direct access to existing ones.

If you received a Notice of Data Breach letter from EY, or if you’re an EY employee, client, or vendor who transacted with the firm between late March and late April 2026, you should:

  • Place a fraud alert or credit freeze with Equifax, Experian, and TransUnion
  • Monitor bank and credit card statements closely for unfamiliar activity
  • Contact your bank directly if you notice any unauthorized transactions
  • Watch for phishing attempts referencing EY or this breach

Do You Have Legal Options?

Professional services firms that collect Social Security numbers and financial account information have a legal obligation to safeguard that data and to notify affected individuals without unreasonable delay. A firm of EY’s size and resources is held to that standard just like any other company.

Contact the Data Breach Attorneys at Emery | Reddy today for a Free Case Review.

Your Personally Identifiable Information (PII) includes information that can be used to identify you, such as your name and other personal details. Organizations that manage healthcare data are legally required to safeguard this information. When PII is exposed in a data breach, it can potentially be used by cybercriminals to commit identity theft, financial fraud, or other misuse.

Residents of California may be entitled to additional protections under the California Consumer Privacy Act (CCPA), which provides enhanced rights regarding the collection, use, and safeguarding of personal information.

FAQ

How many people were affected by the Ernst & Young data breach?

At least 13 Vermont residents are confirmed so far. EY has not disclosed a nationwide total; given the firm’s size, the true number is likely much larger.

What information was exposed?

Social Security numbers, financial account codes, and credit and debit account information.

When did the breach happen?

The breach window ran from March 28, 2026 to April 23, 2026. EY filed notice with state regulators in mid-July 2026, roughly three months later.

What should I do if I received a notification letter?

Place a fraud alert or credit freeze with the three credit bureaus, monitor your financial accounts closely, and consider speaking with a data breach attorney about your options.

"Very friendly interview and intake process. I was informed thoroughly about the processes in obtaining a lawyer and was given ample time to make a decision on representation. I’m thankful for everyone’s help and looking forward to working with this Firm on my worker’s compensation claim."

- Darren A.

Receive a
FREE Case Review

Call Now