A vishing (voice phishing) attack on a third-party vendor supporting Ericsson’s US operations exposed data on 15,661 people. Attackers used a phone call to trick an employee into handing over account access in April 2025. The breach, disclosed to state regulators, may include Social Security numbers, financial data, and medical information.
The breach was confirmed in filings with state regulators, as The Register notes. The incident traces back to April 2025, when attackers used a phone call to socially engineer a single employee at an unnamed third-party vendor into handing over account access.
Vishing, voice phishing over the phone by pretending to be a legitimate caller, is a growing threat. Usually, attackers pose as IT service staff or another internal department. Such attacks exploded in popularity a few years ago, and security teams are still learning how to prepare staff for this unexpected avenue of social engineering.
In this particular case, Ericsson’s partner detected the breach on April 28, 2025, days after attackers had potentially accessed data between April 17 and April 22. It then brought in outside cybersecurity experts, forced password resets, and notified the FBI.
Names, Social Security numbers, and more
What exactly was exposed depends on which state filing you look at. Maine’s attorney general received a disclosure covering names and Social Security numbers. Texas regulators, however, received a broader picture: the 4,377 Texas individuals affected may have had names, addresses, Social Security numbers, driver’s licence numbers, government-issued IDs, financial information, medical information, and dates of birth compromised.
Ericsson says it has not yet seen evidence that the stolen information has been misused. Of course, this is incredibly hard to confirm or deny. In large-scale leaks, it is enticing for attackers to sell the stolen data to another party or use it later for a future compromise.
Months passed before Ericsson was told
One notable aspect is the timeline. The vendor notified Ericsson Inc, the US arm of the Swedish telecoms giant , only on November 10 last year, roughly seven months after the breach. Identifying all affected individuals then took until February 23.
Ericsson itself has been targeted last year as well. The company was among dozens of organisations named in the Salesloft breach of 2025, in which attackers stole OAuth tokens to access data at hundreds of companies, with Salesforce ultimately refusing extortion demands from the ShinyHunters group. This same attacker recently hit Dutch telco Odido with a gigantic breach leading to millions of users’ personal info being stolen.
Affected individuals are being offered 12 months of credit monitoring and advised to watch bank accounts and credit reports closely. The vendor has since added new safeguards and staff training, according to Ericsson’s disclosure.