Secretus logoSecretus

EY's breach came through a help-desk ticket system — the archive nobody guards

·6 min read

Ernst & Young — a Big Four firm that sells cybersecurity consulting — is notifying clients of a data breach. The entry point wasn't EY's network. It was a third-party IT service-management platform its support staff used to handle internal tickets for tax-related client work. According to the breach notifications filed on July 15, an unauthorized party had access to the platform between March 28 and April 12, 2026; anomalous activity was spotted on April 23, and the investigation has been unwinding what was taken ever since.

What was in there? Exactly what's in every mature ticketing system: attachments. Support tickets on the platform routinely carried documents containing clients' personal information, investment-holding details and financial data used to prepare tax filings. EY says it has no evidence of misuse so far, no extortion group has claimed the incident, and affected individuals are being offered 24 months of identity monitoring. All reasonable. But the interesting part is upstream of the response.

Ticket systems are archives wearing a workflow costume

Nobody thinks of a help-desk tool as a data warehouse. Yet consider what it optimizes for: people attach whatever's needed to resolve the issue ("here's the spreadsheet that won't import", "see the client's filing attached"), tickets are kept forever for auditability, and access is broad because support teams rotate. Multiply by years and you get a searchable, well-organized archive of the most sensitive documents in the business — maintained diligently, guarded loosely, and hosted by a vendor whose security you don't control.

This is the third act of a pattern this month's incidents keep rehearsing. The TfL attackers went through a help desk to get passwords reset. The SonicWall intrusions harvested credential stores from appliances. And now a ticketing platform gives up tax files. Different doors, same room: wherever copies of sensitive material pool by default, that's where attackers go — because one compromise yields thousands of documents nobody remembers attaching.

The third-party multiplier

The platform was a vendor's, which adds the now-familiar supply-chain twist: your data's exposure is set by the weakest SaaS tool any of your teams adopted. Vendor questionnaires won't fix that retroactively. What helps is reducing what the tool holds: if the ticket references where a document lives instead of carrying the document, a platform compromise leaks metadata, not filings.

What to do about your own ticket archive

  • Audit attachments, not just access. Search your ticketing system for what's actually in it — tax documents, contracts, credentials, exported databases. Most teams are surprised.
  • Set retention to match reality. A resolved ticket rarely needs its attachments after 90 days. Auto-purge attachments on closure where policy allows; keep the ticket text for audit.
  • Move sensitive hand-offs out of the ticket body. When support work requires a credential or a sensitive file, pass it through a channel that expires and can be read once, and put the reference in the ticket. The workflow stays auditable; the archive stays empty.
  • Treat vendor ITSM tools as data processors. Because that's what they are: scope what categories of data may enter them, and include them in your breach-notification planning — EY's timeline (access in March, letters in July) shows how long that tail is.

The uncomfortable summary: EY didn't lose a database; it lost the accumulated sediment of everyday helpfulness. Every organization has the same sediment somewhere. The fix is structural — decide that sensitive material doesn't rest in workflow tools, and give people an equally easy path that doesn't leave a copy behind.

Share a secret the safe way

End-to-end encrypted, one-time links — free, no account needed.

Try Secretus