EY cybersecurity report pulled after probe finds ‘AI hallucinations’

https://www.computing.co.uk/news/2026/ai/ey-cybersecurity-report-withdrawn-ai-hallucinations

Publish Date: 2026-05-17 23:43:00

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Several cited sources did not exist

EY Canada removed a cybersecurity report after an investigation found it contained AI-generated fabrications, including non-existent sources and inaccurate claims.
A cybersecurity report published by EY Canada has been removed from the firm’s website after an investigation found that large sections of it were generated using AI and contained fabricated citations and inaccurate claims.
The report, titled “Points of Attack: Uncovering Cyber Threats and Fraud in Loyalty Systems”, was released in late 2025 and examined cyber risks linked to loyalty rewards programmes.
However, AI-detection company GPTZero said its investigation found the 44-page document was “stuffed with hallucinations”, including dozens of references to sources that either did not exist or could not be verified.
According to GPTZero, 16 of the report’s 27 cited sources were either fabricated, misattributed or linked to broken web pages. References attributed to publications including Forbes, McKinsey & Company, Gartner, TechCrunch and WIRED reportedly led to missing pages or articles that never existed.
The report had been credited to three EY Canada employees, including two partners and a senior manager.
Fake or broken URLs
In a blog post outlining its investigation, GPTZero said the EY Canada report relied on in-text references and a resources table rather than conventional footnotes or academic citations.
“This table provides a source title, description, and URL for all sources, as well as the publisher and date in certain cases. Almost all of the URLs are broken or fake, and more than half of the titles don’t correspond to real sources,” the researchers said.
Moreover, the document contained what researchers described as “vibe citations” – references that sound plausible but cannot be traced to genuine material.
“Publishing a report online is essentially a form of data injection into the pool of knowledge that is the internet,” the researchers wrote.
“When the report includes fake information (either vibed citations or false claims) it can ‘poison the well’ by misleading future researchers, especially if the report is published by a well-known consulting firm and hosted on a high-traffic website.”
The investigators also identified inconsistencies within the report itself. At different points, the global loyalty programme market was valued at $200bn, while the amount of unclaimed loyalty points was also stated to be exactly $200bn.
In one case, a citation attributed to McKinsey & Company was allegedly traced back to what GPTZero described as a “low quality” blog post rather than original research.
EY removes the report
EY, one of the world’s “Big Four” accounting and consulting firms, said it had removed the report and was reviewing the circumstances surrounding the report’s publication.
“EY Canada takes the accuracy of all the content we publish seriously and we have an organisation-wide commitment to the responsible use of AI,” EY told the Financial Times.
The firm added that the report was not connected to work carried out for any client.
The incident is the latest in a series of high-profile cases involving the misuse of generative AI in professional services.
Last year, rival consultancy Deloitte revised a report prepared for a Canadian provincial government after concerns emerged over fake academic references. More recently, the US law firm Sullivan & Cromwell apologised to a court in New York after a legal filing cited incorrect cases and misquoted sections of US bankruptcy law.