Ericsson breach blamed on third party vendor vishing attack • The Register

A voice-phishing scam targeting one of Ericsson's service providers has exposed the personal data of more than 15,000 individuals after attackers sweet-talked an employee into handing over access.

The incident, disclosed in filings with US state regulators, traces back to April 2025 when crooks targeted a single employee at an unnamed third-party vendor supporting Ericsson's US operations. According to the company's disclosure, the service provider discovered the breach on April 28, 2025, after spotting what it describes as a "vishing" incident – essentially social engineering carried out over the phone.

The third-party later determined that attackers may have accessed data between April 17 and April 22. Once the alarm was sounded, the vendor says it brought in outside cybersecurity experts, forced password resets, notified the FBI, and launched a probe into what the callers managed to get their hands on.

Ericsson Inc, the US arm of the Swedish networking and telecoms giant, didn't hear about the incident until months later. The service provider notified Ericsson on November 10, 2025, that data associated with the company had been caught up in the breach. From there came the slower phase of breach response: figuring out exactly whose information might have been exposed and tracking down contact details for those individuals. That process wrapped up on February 23, 2026, and Ericsson confirmed this week that 15,661 individuals were affected.

A filing with Maine's attorney general says that the exposed data may include names and Social Security numbers, but a separate disclosure submitted to regulators in Texas suggests that the haul could be considerably bigger.

According to the Texas filing, 4,377 individuals in that state alone were affected, and the compromised data may include names, addresses, Social Security numbers, driver's license numbers, and other government-issued IDs such as passports or state ID numbers. In some cases, the exposed records may also include financial information, like bank account or payment card numbers, as well as medical information and dates of birth.

Ericsson says that it has not yet seen evidence that any of the stolen information has been misused, but affected individuals are being offered 12 months of credit monitoring and the usual advice to keep a close eye on bank accounts, credit reports, and anything else that might suddenly start behaving suspiciously.

The vendor involved has also added new safeguards and extra staff training since the breach, according to the disclosure. As this case shows, sometimes the weak point in a network isn't the software – it's whoever answers the phone.

®

Legal and Regulatory Implications

This breach highlights the growing regulatory scrutiny around third-party vendor management and data protection obligations. Under various state breach notification laws, Ericsson was required to report the incident to affected individuals and state attorneys general. The company's delayed notification timeline – from April 2025 discovery to February 2026 final confirmation – raises questions about compliance with statutory notification deadlines that typically require disclosure within 30-60 days of discovery.

Impact on Affected Individuals

The scale and sensitivity of the exposed data create significant risks for the 15,661 affected individuals. Social Security numbers, driver's license information, and financial account details represent the "crown jewels" of personal data that identity thieves actively seek. The inclusion of medical information adds another layer of concern, as health data breaches can lead to medical identity theft and insurance fraud.

Ericsson's offer of 12 months of credit monitoring, while standard practice, may prove insufficient given the long-term nature of identity theft risks. Victims of data breaches often face years of vigilance as stolen information circulates on dark web marketplaces and criminal networks.

Third-Party Risk Management

This incident underscores the critical importance of vendor risk assessment and management. Ericsson's reliance on third-party service providers created a vulnerability that attackers exploited through social engineering rather than technical hacking. The months-long gap between the vendor's discovery and Ericsson's notification suggests potential weaknesses in incident response coordination and communication protocols between companies and their partners.

Broader Context

This breach is part of a concerning trend in which sophisticated social engineering attacks bypass technical security measures by targeting human vulnerabilities. Similar incidents have affected organizations across industries, from healthcare providers to financial institutions, demonstrating that even well-resourced companies remain vulnerable to basic but effective attack techniques.

The case also highlights the challenges of maintaining data security in complex supply chains where multiple organizations handle sensitive information. As companies increasingly outsource functions to specialized vendors, the attack surface expands and security becomes only as strong as the weakest link in the chain.

For individuals affected by this breach, the coming months will require heightened vigilance. Beyond credit monitoring, experts recommend placing fraud alerts on credit files, monitoring financial statements for unusual activity, and being alert to potential phishing attempts that may use the stolen information as context for more convincing scams.

As organizations continue to grapple with evolving cyber threats, this incident serves as a reminder that technical solutions alone cannot address all security challenges. Human factors, from employee training to incident response procedures, remain critical components of comprehensive cybersecurity strategies.