They simply accessed the data.
In the quiet corridors of institutional trust, two young men employed by one of the world's most prestigious professional services firms made a choice that no training manual could prevent: they looked where they should not have looked. Allegedly accessing the private banking details of Australia's Prime Minister while contracted to Commonwealth Bank, the 21 and 25-year-old EY graduates acted, by all accounts, on their own initiative — not under orders, but out of something more human and more troubling. Their arrest and termination arrive at a moment when the great accounting firms of Australia are already reckoning with questions about culture, accountability, and whether the structures built to govern professional conduct are holding.
- Two EY graduates allegedly used their privileged access during a Commonwealth Bank engagement to view the Prime Minister's personal banking details — a breach that was entirely self-directed, with no corporate instruction behind it.
- The Australian Federal Police moved swiftly, laying charges on May 6 — unauthorized data access, unauthorized distribution via carriage service — and both men were released on bail, with a court date now looming.
- EY terminated both employees after its internal investigation concluded, while Commonwealth Bank and the Prime Minister's Office offered near-total silence, leaving the public to absorb the breach without institutional explanation.
- The incident lands inside a broader crisis of confidence in Australia's Big Four firms, arriving just weeks after KPMG's CEO resigned over failures in handling a whistleblower complaint — raising urgent questions about professional culture at the highest levels.
- What is now being tested in court is not merely whether two young men broke the law, but how seriously Australian society treats the violation of a sitting leader's financial privacy by those entrusted with access to sensitive systems.
Two graduate employees at Ernst and Young have been fired and charged by police after allegedly accessing the private banking details of Prime Minister Anthony Albanese. The pair were working at Commonwealth Bank as part of a professional services engagement when they reportedly viewed the Prime Minister's account information — not under any corporate directive, but entirely of their own accord. EY was explicit on this point: the men were not following instructions from above.
The Australian Federal Police charged both on May 6. The younger, aged 21, faces counts of unauthorized data access and distributing that information via carriage service. His 25-year-old colleague faces a charge of causing unauthorized access. Both were granted bail. In its public statements, the AFP referred only to "a federal parliamentarian" rather than naming Albanese directly.
Following its internal investigation, EY terminated both men and declined to comment further. Commonwealth Bank said it would not discuss individual contractor matters. The Prime Minister's Office offered no statement. What the silence left behind was a reminder of the protocols that govern financial system access — that data is to be touched only for legitimate work purposes, never out of curiosity.
The case arrives as Australia's Big Four accounting firms face intensifying scrutiny. Weeks earlier, KPMG chief executive Andrew Yates resigned after an external review found the firm had mishandled a whistleblower complaint, with a senior audit partner also stepping down. Yates acknowledged the firm had "let ourselves down." The EY incident now adds another chapter to what is becoming a recognizable pattern — raising questions not just about individual conduct, but about the cultures that shape it.
Two young men working as graduate employees at Ernst and Young were fired and charged by police after allegedly looking into the private banking details of Prime Minister Anthony Albanese. The pair were stationed at Commonwealth Bank as part of a professional services engagement when they gained access to the Prime Minister's account information, according to Nine.com.au's understanding of the case. What set this apart from a routine workplace breach was that the two men appear to have acted entirely on their own—EY made clear they were not following orders from above, not executing some corporate directive. They simply accessed the data.
The Australian Federal Police moved quickly. A 21-year-old was charged with one count of unauthorised access to restricted data and a second count of using a carriage service to distribute that information. His colleague, 25, faced a charge of causing unauthorised access to restricted data. Both were charged on May 6 and released on bail. The AFP stopped short of naming Albanese in its public statements, referring instead to "a federal parliamentarian" as the target of the alleged breach.
Once EY's internal investigation concluded, both men were terminated. The company declined to elaborate further. Commonwealth Bank, when approached for comment, offered only that it would not discuss "individual contractor matters." The Prime Minister's Office said nothing at all. What emerged instead was a reminder of the training protocols that exist across the financial system: staff are instructed to access accounts only for legitimate work purposes, never out of curiosity, never for personal reasons.
The incident arrives at a moment when Australia's Big Four accounting firms are already under scrutiny. Just weeks earlier, KPMG's chief executive Andrew Yates resigned following an external investigation into how the firm had handled a whistleblower complaint. The review found that KPMG had failed to manage the situation with proper rigour, though both internal and external inquiries concluded the underlying allegations were without merit. Yates acknowledged the failure in his resignation statement, saying the firm had "let ourselves down" on its commitment to a speak-up culture. Julian McPherson, KPMG's national managing partner for audit and assurance, also stepped down and announced plans to resign after transitioning his client work.
The EY case adds another layer to what has become a pattern of governance and conduct issues at the country's largest professional services firms. Two young graduates, access they should not have had, data they should not have touched, and now a court date that will test how seriously Australian law treats the breach of a sitting Prime Minister's financial privacy.
Notable Quotes
I have been committed to a speak-up culture in our firm, it is clear that in this case we have let ourselves down and I take accountability.— Andrew Yates, former KPMG Australia CEO, on his resignation
The Hearth Conversation Another angle on the story
Why would two junior employees risk their entire careers for access to a Prime Minister's bank account? What were they actually trying to do?
That's the question no one's answering yet. The charges tell us what they did—accessed the data, possibly shared it—but not why. Sometimes it's curiosity. Sometimes it's leverage. Sometimes it's just because they could.
And EY made a point of saying they weren't ordered to do this. Why does that distinction matter?
Because it protects the firm from complicity. If this was a rogue act by two individuals, EY can argue it's a personnel problem, not a systemic one. They fired them, they cooperated. That's the narrative they're building.
But they were working on a live Commonwealth Bank engagement. Doesn't that suggest the security controls failed?
Absolutely. Two graduates shouldn't have had that level of access in the first place. Either the bank's permissions were too loose, or EY's oversight was inadequate. Probably both.
This comes right after KPMG's leadership crisis. Are these firms broken?
Not broken—tested. They're large, they handle sensitive information, and they're discovering that size and complexity create blind spots. The question is whether they fix the culture or just fix the optics.