BusinessCybersecurityNewswireTechnology

Abbott Investigates 2 Cyber Incidents Amid Extortion Claims

▼ Summary

– Abbott Laboratories is investigating two separate cybersecurity incidents: unauthorized access to legacy Exact Sciences systems in its Cancer Diagnostics business, and a separate claim that attackers breached its LabCentral portal.
– The ShinyHunters extortion gang added Abbott to its data leak site, initially threatening to publish allegedly stolen data after July 18, later extending the deadline to July 21.
– ShinyHunters claimed it gained access through a vishing attack targeting employees in mid-June, compromising a Microsoft Entra SSO account, and alleges theft of over 30 million rows of customer PII, including Social Security numbers.
– A second threat actor, ShadowByt3$, claimed to have breached Abbott’s Core Laboratory diagnostics business via its LabCentral portal using compromised customer credentials, stealing technical documents and intellectual property.
– Abbott confirmed awareness of the potential LabCentral incident but stated all data in that environment is public and not sensitive, and said the Cancer Diagnostics incident does not impact business operations, manufacturing, or ability to serve patients.

Abbott Laboratories is currently investigating two separate cybersecurity incidents, including unauthorized access to legacy Exact Sciences systems within its Cancer Diagnostics division and a separate claim involving its LabCentral customer portal. The company has confirmed the first breach after the ShinyHunters extortion group listed Abbott on its data leak site, threatening to publish allegedly stolen data unless negotiations began. Initially set for July 18, the deadline was later extended to July 21.

Abbott acknowledged the Exact Sciences incident following ShinyHunters’ actions, stating in a public statement that unauthorized access occurred in a limited number of internal systems tied only to its Cancer Diagnostics business. The company emphasized that the breach does not affect operations, product availability, manufacturing, lab work, or patient services. It also clarified that the compromised systems are legacy and separate from other Abbott divisions.

In response, Abbott activated incident response protocols, engaged cybersecurity experts, and notified law enforcement. The company does not expect the incident to materially impact its business or financial results.

ShinyHunters told BleepingComputer it gained access through a vishing attack in mid-June, targeting several Abbott employees. The threat actor claimed this allowed it to compromise a Microsoft Entra single sign-on (SSO) account, enabling entry into internal systems. Since last year, the group has run social engineering campaigns against corporate SSO accounts, stealing data from SaaS platforms like Salesforce, Microsoft 365, Google Workspace, SAP, and others.

The extortion gang has increasingly targeted medtech companies, including Medtronic, OneMedical, and AdaptHealth. BleepingComputer also learned that ShinyHunters was behind the iRhythm data breach and targeted Stryker shortly after it recovered from a destructive Iranian data-wiping attack.

When asked about stolen data, ShinyHunters claimed it exfiltrated information from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa, including internal documents, contracts, and customer data. The group alleged it stole more than 30 million rows of customer personally identifiable information (PII) , containing names, email addresses, phone numbers, physical addresses, dates of birth, and over one million Social Security numbers. It also claimed to have taken over 22 million client notes with doctor-patient conversations, more than 20 million medical orders, and customer agreements and NDAs. BleepingComputer has not independently verified these claims.

The second incident involves a threat actor named ShadowByt3$, who contacted BleepingComputer claiming to have breached Abbott’s Core Laboratory diagnostics business through its LabCentral customer portal. The actor said it used compromised customer credentials after identifying a “weak point” in the environment. Access was gained on July 4, 2026, and files were slowly exfiltrated via API endpoints.

ShadowByt3$ claims the stolen data includes CE manufacturing certificates, operation manuals, technical specifications, regulatory documentation, product requirement archives, calibrator value assignments, assay files, and other product documentation for Abbott’s laboratory diagnostic systems. The group says no customer data was taken but asserts it obtained sensitive business documents and intellectual property. It provided screenshots and a file listing as proof.

Abbott confirmed awareness of the potential incident but disputed the characterization of the data. A spokesperson stated that LabCentral is an externally hosted third-party portal for Abbott’s core laboratory diagnostics business, containing only publicly available technical product reference documents like operating manuals and troubleshooting checklists. The company emphasized that no proprietary or sensitive customer or business information is stored there.

As of now, neither ShinyHunters nor ShadowByt3$ has publicly released the data they claim to have stolen from Abbott.

(Source: BleepingComputer)

Topics

cybersecurity incidents 100% data breach claims 98% shinyhunters extortion 95% cancer diagnostics breach 93% vishing attack 90% data exfiltration 88% customer pii theft 85% labcentral portal breach 83% intellectual property theft 80% sso account compromise 78%