Cyber Incident Victim: Ernst & Young

On or around May 27, 2023, a significant security incident began affecting the United States firm of Ernst & Young LLP (EY US). The breach was not a direct attack on EY's own internal systems but was part of a larger, widespread supply-chain attack targeting a third-party software product. The attackers exploited a critical security vulnerability in MOVEit Transfer, a secure file transfer tool developed by Progress Software and used by organizations globally to move sensitive data files. EY US utilized this software as part of its operations.

Progress Software informed EY US of the security vulnerability on May 31, 2023, which also served as the date EY discovered the breach affecting its environment. The investigation determined the unauthorized access to files within the MOVEit tool occurred between May 27 and May 31, 2023. Upon becoming aware of the issue, EY US promptly launched an internal investigation and took immediate, urgent steps to secure its systems and prevent further use of the compromised MOVEit service. The firm engaged third-party security experts to assist in investigating the full scope of the incident and to advise on its response and remediation efforts.

The investigation revealed that certain files transferred or stored using the MOVEit tool had been compromised. An extensive analysis was conducted to determine the specific individuals and data affected. The breach involved personal data. For a total of 30,210 individuals across the United States, the acquired information consisted of name or other personal identifier in combination with a driver's license number or non-driver identification card number. This group included 100 residents of Maine. A separate notification indicated that for 2,408 residents of Delaware, the scope of personal data involved was broader. The compromised information for these individuals potentially included first name or first initial and last name, address, financial account information, debit or credit card numbers, social security number, and/or other unique government-issued identification numbers.

EY US undertook a process to confirm the identities and contact information of all affected individuals. The firm began mailing written notification letters to those impacted on August 9, 2023. This notification explained the nature of the incident and the steps individuals could take to protect themselves. A dedicated call center was established to answer questions from concerned consumers. In its notifications to state authorities, EY US, represented by its attorneys at King & Spalding LLP, confirmed the breach was categorized as an external system breach due to hacking.

In response to the potential risk of identity theft and fraud, EY US offered all affected individuals complimentary identity theft protection services. The firm provided a two-year membership to Experian IdentityWorks, a service managed by the provider Experian. This service included daily monitoring of credit reports at the three national credit reporting agencies—Experian, Equifax, and TransUnion—along with internet surveillance and identity theft restoration support. The offering was described as a 24-month complimentary subscription, and enrollment instructions were provided in the notification letters.

The incident was reported to relevant data protection and privacy regulators, including the Information Commissioners Office (ICO) in the UK, where EY's global operations were also impacted, and to numerous state Attorneys General in the United States. The Maine Attorney General's office was notified that 100 state residents were affected. The Delaware Department of Justice received a detailed notification letter dated August 30, 2023, which outlined the impact on 2,408 of its residents. EY US confirmed that its systems and servers, distinct from the third-party MOVEit application, were not compromised during this attack.

The attackers responsible for the vulnerability exploitation were identified as being linked to the Clop ransomware group, a notorious cybercriminal organization believed to be based in Russia. This group publicly claimed responsibility for the mass hack and employed a tactic of extortion, threatening to publish stolen data from victim organizations that did not contact them to negotiate a ransom payment. The typical ransom demands were for sums amounting to hundreds of thousands or even millions of dollars worth of Bitcoin. While EY US acknowledged the download of data during the attack, there was no public confirmation from the company or the threat actors regarding whether any stolen EY data was subsequently published on the gang's darknet website or if a ransom was paid.

The impact of this incident extended beyond EY's direct employees or clients. In its public statements, EY noted it provides consulting, advisory, and tax services to Bank of America and that, as part of those services, it handles information that includes personal data. The notification letters clarified that the compromised files contained data related to this service relationship, though Bank of America confirmed its own systems and servers were not impacted by the event. The breach at EY was a single instance within a much larger campaign that affected numerous major organizations worldwide, including British Airways, the BBC, Boots, and Zellis—a payroll processor—highlighting the severe consequences of supply-chain attacks on widely used software products.