bleepingcomputer.com
By Sergiu Gatlan
March 9, 2026

Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.

Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.

Headquartered in Stockholm and founded in 1876, the parent company is a communications tech leader with nearly 90,000 employees worldwide.

In data breach notification letters sent to affected individuals and filed with the California Attorney General on Monday, Ericsson said that a service provider who was storing personal data for employees and customers discovered a breach on April 28, 2025.

After detecting the incident, the third-party vendor notified the FBI and hired external cybersecurity experts to assess the extent of the breach and its impact.

The investigation, which was completed last month, found that a total of 15,661 individuals had their data exposed in the incident. However, Ericsson noted that the compromised provider has yet to find evidence that the data has been misused since the breach.

"Based on the investigation, our service provider determined that a limited subset of files may have been accessed or acquired without authorization between April 17, 2025 and April 22, 2025," Ericsson said.

"As part of its investigation, it retained external data specialists to conduct a comprehensive review of the potential affected files to identify any personal information. That review was completed on February 23, 2026 at which time we determined that that some of your personal information was contained within the affected files."

According to a separate filing with the Texas Attorney General, the exposed information includes affected individuals' names, addresses, Social Security Numbers, Driver’s License numbers, government-issued ID numbers (e.g., passport, state ID cards), financial Information (e.g., account numbers, credit or debit card numbers), medical Information, and dates of birth.

Ericsson is now providing free IDX identity protection services, including credit monitoring, dark web monitoring, identity theft recovery, and a $1 million identity fraud loss reimbursement policy to affected people who enroll by June 9, 2026.

Although the company flagged this incident as a data theft attack, no cybercrime group has taken responsibility for the breach. This raises the possibility that either the third-party vendor paid the ransom demanded by the attackers or that the threat actors were unable to connect the breach to Ericsson.

When BleepingComputer reached out for more details on the breach, including the total number of affected individuals, an Ericcson spokesperson said they didn't have "anything to share beyond the letter."

Update March 10, 06:39 EDT: In a filing with Maine's Attorney General, Ericsson says the breach affects a total of 15,661 individuals.

| Cyber Security Agency of Singapore
www.csa.gov.sg
9 February 2026

The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) shared details of a multi-agency cybersecurity operation, codenamed Operation CYBER GUARDIAN, to defend our telecommunications sector.

Press Releases
Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector
9 February 2026

The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) shared details of a multi-agency cybersecurity operation, codenamed Operation CYBER GUARDIAN, to defend our telecommunications sector.

Background
2 On 18 July 2025, Coordinating Minister for National Security Mr K Shanmugam shared that Advanced Persistent Threat (APT) actor UNC3886 had been detected attacking our critical infrastructure. No further details were shared then, to preserve operational security. Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector. All four of Singapore’s major telecommunications operators (“telcos”) – M1, SIMBA Telecom, Singtel and StarHub – have been the target of attacks.

Singapore’s telcos targets of cyberattacks
3 APTs are sophisticated and persistent, getting past defences with advanced methods over time. UNC3886 is an APT actor with deep capabilities. UNC3886 deployed advanced tools in their campaign to gain access into our telco systems. For example:

a. In one instance, they used a zero-day exploit[1] to bypass a perimeter firewall of our telcos and gained access into our telco networks. They also managed to exfiltrate a small amount of technical data; this is believed to be primarily network-related data to advance the threat actors’ operational objectives.

b. In another instance, the threat actor utilised advanced tools and techniques such as rootkits[2] to maintain persistent access and cover their tracks and evade detection. This made it challenging for cyber defenders to detect their presence, requiring the cyber defenders to conduct comprehensive security checks across the networks.

Operation CYBER GUARDIAN mitigated serious threat posed by UNC3886
4 The threat actor’s activities were initially detected by the telcos, who then notified IMDA and CSA of the breach. CSA, IMDA and other government agencies swiftly launched a coordinated whole-of-Government response, in partnership with the telcos to contain the breach. The operation, codenamed Operation CYBER GUARDIAN, is Singapore’s largest coordinated cyber incident response effort undertaken to date, spanning more than eleven months. Over 100 cyber defenders across agencies such as CSA, IMDA, the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore (GovTech) and the Internal Security Department (ISD) were involved in the operation.

5 Under Operation CYBER GUARDIAN, the authorities worked closely with the telcos to limit UNC3886’s movement into the networks and ensure our systems remain safe to use. So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere.

a. The threat actor was able to gain unauthorised access into some parts of telco networks and systems. In one instance, they were able to gain limited access to critical systems but did not get far enough to have been able to disrupt services.

b. There is no evidence to-date that sensitive or personal data such as customer records were accessed or exfiltrated.

c. There is also no evidence that the threat actor managed to disrupt telecommunications services such as internet availability.

6 Cyber defenders have since implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities in the targeted telcos.

7 The close partnership between the public and private sector in Operation CYBER GUARDIAN reflects our national doctrine of cyber defence, in which government agencies, as well as the private sector come together to collectively defend our cyber space. The doctrine also guides capability development across our cyber ecosystem, sets out the roles that different parties should play in cyber defence, and the actions that should be taken during a cyber incident. This coordinated approach is a key pillar of Singapore’s cyber security.

The fight is ongoing
8 While our collective efforts have contributed to containing the attacks so far, we must be prepared that there may be future attempts to gain access into our telco infrastructure. Telcos are strategic targets for threat actors, including state-sponsored ones. They play a foundational role in powering the digital economy and transmit vast amounts of information, including sensitive data. If threat actors succeed in attacking our telcos, they have the potential to undermine our national security and our economy.

9 The Government takes a serious view of the cyberattack against our telcos. CSA and IMDA have been working closely with our telcos to strengthen their cyber defences, enhance detection capabilities, and deploy active monitoring systems to maintain vigilance against new attempts by UNC3886 to re-enter their networks. Telcos have also been putting in place interventions including joint threat hunting, penetration testing, and levelling up of capabilities. CSA will also be progressively introducing initiatives to raise the level of capabilities across our cyber ecosystem, to enable better and more timely responses against cyber threats and to strengthen Singapore’s cyber defences.

10 Speaking at an engagement event for cyber defenders involved in Operation CYBER GUARDIAN, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity & Smart Nation Group, Josephine Teo, thanked the defenders for their contributions and called for continued vigilance.

11 In her address, she also highlighted the important role played by critical infrastructure operators who are at the frontlines of the battle against cyber threat actors. She said, “Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security. I urge all of you to continue investing in upgrading your systems as well as your capabilities”. In closing, Minister Teo acknowledged the need for the government and critical infrastructure owners to work together as a team, so that we can be effective against sophisticated adversaries and protect everything we care about.

​More U.S. companies have been added to the list of telecommunications firms hacked in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon.

T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests.

Nokia's investigation of recent claims of a data breach found that the source code leaked on a hacker forum belongs to a third party and company and customer data has not been impacted.

EU Member States, with the support of the European Commission and ENISA, the EU Agency for Cybersecurity, published the first report on the cybersecurity and resilience of Europe’s telecommunications and electricity sectors.

Mobile operators have traditionally relied on proprietary hardware from vendors like Ericsson, Nokia and Huawei to build their networks. And now with 5G comes the push to “virtualize” network functions, replicating key elements in software so they can run on generic hardware, or even in the cloud.

The Government of Canada announced its intention to ban the use of Huawei and ZTE telecommunications equipment and services across the country's 5G and 4G networks.

The Government of Canada has serious concerns about suppliers such as Huawei and ZTE who could be compelled to comply with extrajudicial directions from foreign governments in ways that would conflict with Canadian laws or would be detrimental to Canadian interests.