EY Withdraws Report Due to AI Hallucinations in Cybersecurity Claims
Severity: Low (Score: 36.9)
Sources: Sherwood.News, Computing, Ia.Acs.Au, Afr
Published: · Updated:
Keywords: hallucinations, study, reports, loyalty, retracts, after, researchers
Summary
EY has retracted a 2025 study on loyalty rewards programs after researchers found numerous AI-generated inaccuracies, including fake citations and misattributed data. The report, which claimed the loyalty program economy was worth $200 billion and cited non-existent sources, was used by EY consultants in Canada to promote their cybersecurity services. Investigators from GPTZero revealed that approximately 60% of the references in the report were fabricated, raising concerns about the reliability of AI-generated content in professional reports. The withdrawal highlights the potential risks associated with AI hallucinations in critical business documents. EY has not publicly commented on the retraction. Key Points: • EY's report on loyalty programs was retracted due to AI-generated inaccuracies. • Researchers found 60% of the report's references were fabricated or misattributed. • The incident underscores the risks of relying on AI for generating professional content.
Detailed Analysis
**Impact** EY’s December 2025 report on cybersecurity vulnerabilities in loyalty programs was withdrawn after discovery of fabricated data and citations. The report targeted the global loyalty program economy, estimated at $200 billion, with claims that 30-50% of loyalty points go unused and are vulnerable to exploitation. The flawed report was used by EY consultants in Canada to promote cybersecurity services, potentially misleading clients and damaging EY’s credibility in the consulting sector. No direct data breach or operational compromise has been reported. **Technical Details** The issue stems from AI-generated hallucinations within the report, including nonexistent sources, broken URLs, and misattributed citations such as a fictitious McKinsey report. There is no indication of a cyberattack, malware, or exploitation of vulnerabilities; rather, the problem is inaccurate AI-assisted content generation. No CVEs, malware, or infrastructure details are mentioned. The problem relates to the report’s research and publication phase, not a traditional cyber kill chain. **Recommended Response** Organizations should verify the authenticity of AI-generated content and citations before use in decision-making or client communications. Consulting firms must implement rigorous human review processes to detect AI hallucinations in reports. Monitor for similar incidents involving AI-generated misinformation in professional services. No technical patches or detection rules apply as this is a content integrity issue rather than a cyber intrusion.
Source articles (4)
- EY retracts study after researchers discover AI hallucinations — Afr · 2026-05-17
New York | EY has withdrawn a study on loyalty rewards programs that included apparent artificial intelligence hallucinations and fake footnotes, in the latest example of a professional services firm… - EY retracts cyber report littered with AI errors - Information Age — Ia.Acs.Au · 2026-05-19
Consulting giant EY has retracted a cybersecurity report after researchers revealed that nearly three-quarters of its references were AI hallucinations. Researchers from GPTZero released an analysis l… - EY cybersecurity report pulled after probe finds 'AI hallucinations' — Computing · 2026-05-18
EY Canada removed a cybersecurity report after an investigation found it contained AI-generated fabrications, including non-existent sources and inaccurate claims. A cybersecurity report published by… - AI hallucinations appear to be creeping into consulting reports — Sherwood.News · 2026-05-15
A 44-page report titled “ Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems ” looks like many others that management consultancy EY publishes every year. These types of reports a…
Timeline
- 2025-12-01 — EY publishes loyalty programs report: The report titled 'Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems' is released, claiming significant vulnerabilities in loyalty programs.
- 2026-05-15 — GPTZero investigation reveals inaccuracies: Researchers from GPTZero disclose that 60% of the references in EY's report are fabricated, leading to scrutiny of the document's credibility.
- 2026-05-17 — EY retracts the report: EY officially withdraws the study after the findings of AI hallucinations and fake citations are made public.