Consulting giant EY has retracted a cybersecurity report after researchers revealed that nearly three-quarters of its references were AI hallucinations.

Researchers from GPTZero released an analysis last week investigating a report from EY last year about “cyber threats and fraud in loyalty systems”, which it labelled a “collage of misattributions, inaccurate statistics and AI-written text”.

The errors appear to be a result of AI hallucinations, with generative AI tools such as ChatGPT confidently providing information that is incorrect or citing sources that don’t exist.

Of the 27 citations in the EY report, more than 70 per cent were AI-generated and either made up or referenced incorrectly, according to GPTZero.

“Not only does the text scan as AI-generated, it’s riddled with common LLM errors like fake statistics, misattributions and internal contradictions,” the researchers said.

“For example, research citations to Forbes, McKinsey, Gartner, TechCrunch and Wired were either broken URLs or never existed in the first place.”

Following the GPTZero report, EY Canada withdrew the report and said it was “reviewing the circumstances that led to this article’s publication”.

“EY Canada takes the accuracy of all the content we publish seriously, and we have an organisation-wide commitment to the responsible use of AI,” a company spokesperson said.

Contradictions and made-up references

The executive summary of the EY report claimed that the global loyalty points market is worth $US200 billion ($280 billion) and that 30-50 per cent of those points are left unused.

The report cites Forbes for this stat, but a few pages later the same $US200 billion figure is used as an estimate of only the unredeemed loyalty points.

The source of the second use of the statistic was from a non-existent report by McKinsey, when the researchers found that it actually came from an obscure fintech blog post from six months earlier.

“This fabricated citation appears verbatim in the EY report’s reference table, laundering an invented source from a low-quality blog into a Big Four publication,” the researchers said.

Other claims in the report were not cited at all, including a statement that 72 per cent of customer loyalty programs have reported some type of theft or fraud.

Later in the report, the same stat was used but attributed to a different source, and neither were included in the report’s references table.

“Contradicting references, low-quality sources and out-of-date statistics are all indications of AI slop,” the GPTZero report said.

Researchers raised concerns the inclusion of incorrect or made-up information in a report by an established company risks “poisoning the well” by potentially misleading researchers in the future.

Australian newspaper The Canberra Times was referenced in the report as a media organisation that had included the EY report in a news story recently.

Hallucinations everywhere

EY, along with many other major consulting firms, has doubled down on AI use in recent years.

According EY, AI-related revenue at the company grew by 30 per cent in the last year, and 15,000 of its employees had worked on client projects “ranging from delivering enterprise-wide transformations to AI governance frameworks that help drive the responsible implementation of AI”.

It comes after fellow Big Four consulting firm Deloitte last year partially refunded the federal government for a report it delivered that was partially based on generative AI-generated information that included several fabricated references and quotes.

Accenture has also encouraged the internal use of AI, and is even reportedly beginning to measure staff engagement with internal AI tools as part of promotion decisions.