AI scandal at Ernst & Young: auditing firm withdraws flawed cyber report

The consulting firm Ernst & Young has withdrawn a cybersecurity report. An analysis by GPTZero found that 70 percent of the sources were fabricated by AI.

The international consulting and auditing group Ernst & Young has officially withdrawn a cybersecurity report published last year. The retraction followed a detailed review by AI-detection specialist GPTZero. Analysts found that more than 70 percent of the citations and references used in the report were either incorrect or entirely fabricated by artificial intelligence. The report, which primarily focused on the security measures and risks of loyalty programs, was classified by reviewers as a flawed compilation of unreliable data sources.

AI slops in Ernst & Young cybersecurity report

The investigation by forensic experts at GPTZero revealed that the authors of the EY report had heavily relied on generative AI models during its creation. Specifically, chatbots such as ChatGPT by OpenAI, Claude by Anthropic, and the AI search engine Perplexity were used for writing and research.

A subsequent manual review of the bibliographic references showed that the resulting text contained an extremely high density of incorrect citations, contradictory claims, and outdated statistics.

GPTZero classified the document in its official statement as a “collage of misattributions,” attributing the errors to the phenomenon known as “AI slop”. This term describes low-quality, algorithmically generated content published without sufficient human quality control. The analysts also introduced the concept of “vibe citations,” meaning references that appear superficially plausible and give the text a scholarly tone, but turn out to be completely nonexistent upon verification.

AI invents McKinsey as a source

The withdrawn EY report contained a prominent statistic in its executive summary claiming that the global loyalty market amounted to 200 billion US dollars. This figure was explicitly attributed to a study by the renowned consulting firm McKinsey & Company. However, a few pages later the document contradicted itself, stating that the same 200 billion US dollar figure referred to unused or expired loyalty points.

Investigations by GPTZero found that no such McKinsey article exists. Instead, the AI model used by EY had pulled the figure from an obscure fintech blog more than six months old and incorrectly linked it to the well-known consulting firm. Elsewhere in the report, it was claimed that 72 percent of all loyalty programs had already been affected by theft or fraud. Again, no empirical evidence supported this figure, and it appeared inconsistently attributed to different sources throughout the text, without being included in the final bibliography.

Fabricated prestigious sources in detail

To give the cybersecurity report commercial and academic credibility, the language models generated numerous fictitious references attributed to well-known media outlets and research institutes. In addition to the false McKinsey references, the document included fabricated citations allegedly from business and technology publications such as Forbes, TechCrunch, and Wired, as well as market research firm Gartner.

This type of citation hallucination is a well-known issue in the field, as language models are trained to generate statistically likely word sequences rather than verify the real existence of URLs or studies. If such documents are published unchecked, researchers warn that they contribute to a systemic contamination of the information ecosystem (“poisoning the well”), as subsequent search queries and AI systems may treat fabricated data as verified facts.

Deloitte also had faulty references

The incident at Ernst & Young is not isolated but highlights a growing structural issue in the production of market analyses and reports by major auditing firms. Already in late 2025, competitor Deloitte came under criticism after incorrect references were discovered in an official document. In that case, the authors cited a specialist book as a core source that did not exist in either physical or digital form, also the result of an AI hallucination.

Auditing and consulting firms face significant market pressure to publish reports at high frequency. However, automating research with tools such as Perplexity or ChatGPT can lead to a loss of control if final verification of primary sources is omitted.

In response to the GPTZero review, Ernst & Young has removed the document from its servers and restricted access to it. The company announced internal investigations to review editorial approval processes and to implement stricter safeguards against AI-generated misinformation. The incident underscores the need for professional cybersecurity analyses to include full human verification (human-in-the-loop) to prevent reputational damage and the spread of misinformation online.