Ericsson Blames Vendor Vishing Slip Up For Breach Exposing Thousands Of Records - RedPacket Security

By Cybersol·March 17, 2026·5 min read
SourceOriginally from Ericsson Blames Vendor Vishing Slip Up For Breach Exposing Thousands Of Records - RedPacket Security by RedPacket SecurityView original

Seven-Month Notification Gap Exposes Structural Vendor Risk Governance Failure in Ericsson Breach

Why This Matters at Board and Regulatory Level

The Ericsson incident—affecting 15,661 individuals through a compromised third-party vendor—is not primarily a cybersecurity failure. It is a governance and contractual failure. A vishing attack on an unnamed service provider in April 2025 remained unnotified to Ericsson until November 2025, a seven-month gap that itself may constitute a regulatory violation under NIS2 and GDPR. This case exposes why vendor risk frameworks that treat third-party security as a compliance checkbox, rather than as binding operational control, create material liability and regulatory exposure independent of breach severity.

The Notification Timeline Reveals Contractual Invisibility

The breach sequence is instructive: attackers conducted voice-phishing against a vendor employee between April 17–22, 2025. The vendor discovered the incident on April 28. Yet Ericsson—the organization whose data was compromised—did not learn of the breach until November 10, 2025. This 195-day lag between discovery and notification violates the spirit and likely the letter of NIS2 Article 23, which mandates incident reporting within 24 hours of discovery for operators of essential services. More critically, it reveals that Ericsson had no contractual mechanism, audit right, or operational visibility into vendor incident response. The vendor acted independently, engaged external cybersecurity experts, notified the FBI, and reset credentials—all without triggering escalation to the organization whose data was at risk. This is not a technical control failure; it is a contractual governance failure.

Human-Factor Controls Are Absent From Vendor Risk Assessments

Vishing—social engineering conducted over the phone—succeeds because vendor security assessments rarely evaluate human-factor resilience or contractually mandate baseline defenses like mandatory multi-factor authentication, credential protection standards, or security awareness training. The Ericsson vendor's employee was successfully manipulated into providing access. Post-incident, the vendor added "new safeguards and extra staff training," implying these controls were absent beforehand. This is typical: organizations conduct vendor security questionnaires focused on technical infrastructure, compliance certifications, and incident response procedures, but rarely demand contractual commitments to human-factor controls or real-time security awareness verification. Vishing attacks exploit this gap systematically. Under DORA and NIS2, vendors supporting critical infrastructure operators must meet baseline human-factor resilience standards; these should be contractually binding, auditable, and measured continuously—not assessed once during onboarding.

Data Exposure Scope Reveals Classification and Notification Complexity

The breach exposed names, Social Security numbers, addresses, government-issued IDs, financial information, medical data, and dates of birth. The scope varies by jurisdiction: Maine filings reference names and SSNs; Texas filings identify 4,377 affected individuals with expanded data categories including driver's license numbers and passport information. This jurisdictional fragmentation in breach notification—a common governance weakness—delayed final notification until February 23, 2026, nearly one year after the initial compromise. Organizations often lack contractual mechanisms requiring vendors to classify data by sensitivity, jurisdiction, and regulatory exposure. Ericsson's disclosure process was reactive, not proactive: the vendor determined scope; Ericsson then tracked individuals and notified regulators. Under GDPR Article 33–34, this delay itself creates liability independent of the breach. Contractual vendor agreements should mandate real-time data inventory transparency and pre-negotiated notification protocols by data category and jurisdiction.

Systemic Weakness: Vendor Risk Remains Disconnected From Operational Reality

Cybersol's assessment identifies a structural governance gap: vendor risk management is treated as a procurement and compliance function, not as an operational control. Ericsson had no contractual right to real-time breach notification from its vendor. The vendor's incident response—while technically sound (FBI notification, external experts, credential resets)—operated in isolation from Ericsson's risk posture. This reflects a broader pattern: organizations negotiate data processing agreements (DPAs) that define roles and responsibilities but fail to establish binding incident escalation timelines measured in hours, not months. Vendor contracts rarely include audit rights extending to human-factor controls, security awareness metrics, or real-time access logs. The vishing attack succeeded because the vendor's employee lacked enforced multi-factor authentication or credential protection standards—controls that should be contractually mandatory for any vendor processing sensitive personal data. Under NIS2, essential service operators must ensure supply chain resilience through binding contractual controls, not through trust in vendor self-assessment.

Regulatory and Liability Exposure

The seven-month notification gap creates multiple regulatory exposures. Under NIS2 Article 23, the vendor's discovery on April 28 should have triggered notification to Ericsson within 24 hours; the November 10 notification may itself constitute a regulatory violation. Under GDPR Article 33, Ericsson's notification to individuals (completed February 23, 2026) was delayed by nearly one year from compromise. Affected individuals in EU jurisdictions may pursue claims for delayed notification under Article 34. Additionally, Ericsson faces potential regulatory fines under GDPR Article 83 for failure to ensure vendor compliance with data protection obligations. The vendor's post-incident remediation—staff training and new safeguards—suggests these controls were absent at the time of processing, creating liability for both organizations. This case demonstrates that third-party breach liability is not limited to the breached vendor; it extends to the organization whose data was compromised and whose contractual oversight was insufficient.

Closing Reflection

The Ericsson incident is governance-relevant because it demonstrates that vishing attacks succeed not due to technical sophistication, but due to absent human-factor controls and contractual invisibility. Boards should demand that vendor contracts include binding incident notification timelines (measured in hours), mandatory security awareness training verified through third-party audit, and real-time access to vendor security metrics. Supply chain risk is fundamentally a contractual and governance problem. Organizations that treat vendor security as a compliance checkbox—rather than as binding operational control with audit rights and escalation mechanisms—will continue to experience seven-month notification gaps and regulatory exposure. Review the original RedPacket Security analysis for full incident details and timeline.

Original Source: RedPacket Security, "Ericsson Blames Vendor Vishing Slip Up For Breach Exposing Thousands Of Records." https://www.redpacketsecurity.com/ericsson-blames-vendor-vishing-slip-up-for-breach-exposing-thousands-of-records/

Author: RedPacket Security

← Back to Blog