Ericsson Inc., the U.S. subsidiary of Swedish telecom giant Telefonaktiebolaget LM Ericsson, disclosed in March 2026 that a breach at one of its unnamed third-party service providers had exposed the sensitive personal information of 15,661 employees. The attack vector was not malware, a zero-day exploit, or a sophisticated nation-state intrusion. It was a phone call.
After our initial publication, 5GStore published a correction based on a direct response from Ericsson. According to Ericsson, the third-party vendor involved was a law firm that historically handled Ericsson's U.S. tax matters. That law firm experienced a phishing attack. The exposure for Ericsson was limited to certain employee tax-related information. Ericsson stated directly that no customer data was involved. This is a material clarification that most outlets covering this story have not reported. The broad data categories listed in state attorney general filings — including medical information and passport numbers — reflect the full universe of data types found across all companies whose data resided with that law firm, not necessarily every category applicable to Ericsson employees specifically. We address this in detail below.
Ericsson filed breach notifications with multiple U.S. state attorneys general, including California, Texas, and Maine, beginning March 9, 2026. The Maine Attorney General's Office, which publicly tracks such filings, confirmed the total count of affected individuals at 15,661. Notification letters went out by U.S. Mail starting that same day, arriving nearly eleven months after the data was first accessed.
This is not the story of a company whose internal defenses crumbled. Ericsson's own systems were never touched. The story is about how a single employee at a law firm that handled Ericsson's U.S. tax matters was deceived over the phone, and how that one interaction ultimately led to the exposure of personal data belonging to thousands of employees who had trusted Ericsson with their information.
The Breach: What Happened and When
The sequence of events, as reconstructed from state regulatory filings and Ericsson's own notification letters, is worth examining closely because the method of entry is the defining feature of this incident.
Between April 17 and April 22, 2025, an unauthorized party accessed a subset of files stored on the systems of an unnamed third-party vendor that handled data on behalf of Ericsson's U.S. operations. Ericsson has since clarified to at least one outlet that the vendor was a law firm that historically represented the company on U.S. tax matters. The vendor did not detect the intrusion until April 28, 2025 — six days after the window of unauthorized access had already closed.
According to The Register, which obtained details from state regulatory filings, the initial access was enabled by a vishing attack — voice phishing, meaning social engineering conducted over the phone. Attackers called an employee at the vendor and, through deception, obtained credentials or access that allowed them to reach the files in question. 5GStore's corrected reporting, based on Ericsson's own clarification, characterizes the attack on the law firm as a phishing attack; regulatory filings use the term vishing. Both descriptions point to social engineering as the root cause. Once inside, investigators believe the unauthorized party exfiltrated data before the vendor identified the suspicious activity.
Ericsson's breach notification letter filed with the California Attorney General (March 2026) states that the vendor detected suspicious activity on April 28, 2025 and engaged outside cybersecurity specialists.
After detecting the incident, the vendor brought in outside cybersecurity specialists, forced password resets across its environment, and notified the FBI. Those are standard incident response steps. What is less standard is what happened next: the vendor did not notify Ericsson about the breach until November 10, 2025 — more than six months after the data had been accessed.
April 17–22, 2025: Unauthorized access to vendor files occurs.
April 28, 2025: Vendor detects the suspicious activity and begins investigation.
November 10, 2025: Vendor notifies Ericsson that its data was involved.
February 23, 2026: Review of affected files completed; personal data confirmed exposed.
March 9, 2026: Ericsson begins mailing notifications to affected individuals.
June 9, 2026: Deadline to enroll in IDX identity protection services.
Once Ericsson was informed in November 2025, it retained external data specialists to conduct a comprehensive review of every file that may have been accessed. That review concluded on February 23, 2026, at which point Ericsson confirmed that personal information belonging to employees was contained within the accessed files. Breach notifications were then prepared and dispatched by mail beginning March 9, 2026.
What Was Actually Exposed — And What the Filings Don't Tell You
The scope of exposed data varies depending on which state filing you examine, and that discrepancy carries an important explanation that most outlets covering this story have not addressed.
According to the Texas Attorney General filing, which covered 4,377 Texas residents, the categories of potentially compromised information include:
- Full legal names and residential addresses
- Social Security numbers
- Driver's license numbers
- Government-issued ID numbers, including passport numbers and state ID cards
- Financial information, including account numbers and credit or debit card numbers
- Medical information
- Dates of birth
The Maine Attorney General's filing, which confirmed the total of 15,661 affected individuals nationally, characterized the exposure more narrowly as names and Social Security numbers. The California filing mirrors the more expansive Texas disclosure.
Here is what makes this important: the broad category lists in state AG filings — the ones that include medical records and passport numbers — typically reflect every data type found across all companies whose records were held by a given vendor at the time of the breach. They are not always specific to what a single named company's records contained. Ericsson clarified directly to 5GStore that the actual scope of its employee exposure was limited to certain tax-related information handled by the law firm. That clarification is material, and it is one that most coverage of this incident has not included.
The practical implication: if you received a notification letter from Ericsson, your Social Security number and tax-related personal data are the primary categories of concern. You should act with that in mind regardless of what the broadest category lists say, because tax data combined with Social Security numbers is more than sufficient for identity fraud, false tax return filing, and employment fraud. A narrower scope does not mean a safer situation.
Ericsson is sending letters by U.S. Mail to affected individuals. If you receive one, enroll in the IDX identity protection service before June 9, 2026. Place a fraud alert or security freeze on your credit files with Equifax, Experian, and TransUnion. Review financial account statements and, if you have not already done so, check your IRS account at irs.gov for any tax returns filed without your authorization. Because the breach involved a law firm handling tax matters, the risk of fraudulent tax return filing is a specific and elevated concern for individuals whose Social Security numbers were exposed.
Ericsson has stated that the service provider found no evidence that the stolen information has been misused since the time of the incident. As SecurityWeek noted in its coverage, that statement is a standard disclaimer frequently issued by breached organizations, and it carries limited weight because confirming misuse of stolen data in real time is extraordinarily difficult. Tax and identity data acquired in one breach is frequently sold or held for months before being used.
No cybercrime group has publicly claimed responsibility for the attack on the vendor. That absence of a claim is consistent with the law firm context: attackers who breach a law firm's systems are often after specific corporate data rather than broad consumer databases, and may have no reason to publicly announce what they took.
The Ten-Month Gap: Why Employees Found Out So Late
The operationally significant aspect of this breach is the timeline. People whose Social Security numbers and tax data were accessed in April 2025 did not receive written notification until March 2026 — nearly eleven months later. During that interval, they had no way to take protective action because they did not know they needed to.
The U.S. has no federal breach notification law with a uniform deadline. Instead, a patchwork of fifty state laws governs timing. Texas requires notification within 60 days of discovery. California requires expedient notice without a fixed window. Maine's law triggered the public filing confirming the 15,661-person count.
The critical question is when the clock starts. Texas ties the timeline to when the breached entity discovers the incident. If the law firm's April 28, 2025 detection triggered Texas's 60-day window, notification to Texas residents may have been due by late June 2025 — more than eight months before letters arrived. Whether that clock ran on the law firm, on Ericsson, or only once Ericsson was informed in November 2025 is a question regulators and class action attorneys are positioned to examine.
Law firms occupy an unusual position in breach notification law. They are not financial institutions subject to Gramm-Leach-Bliley, not healthcare entities bound by HIPAA. Their primary obligations run through state bar rules and ethics opinions — ABA Formal Opinion 483 and the NYC Bar's Formal Opinion 2024-3 both address the duty to notify clients of cybersecurity incidents. Those ethics frameworks, unlike breach statutes, do not specify calendar deadlines. The result is a gap that the incident illustrated precisely.
This lag has two distinct phases, each attributable to a different party. The first phase, April through November 2025, was a six-month period during which the vendor conducted its investigation but had not yet notified Ericsson that its data was involved. The second phase, November 2025 through February 2026, was the period during which Ericsson's own data specialists reviewed every potentially affected file to confirm what personal information was exposed before sending notifications.
The vendor's six-month delay in notifying Ericsson is the more troubling interval. A law firm that has confirmed unauthorized access to files belonging to a major corporate client generally has a contractual and ethical obligation to notify that client promptly. Many U.S. state breach notification laws also impose statutory timeframes. Whether those obligations were met is not addressed in Ericsson's public filings, and that is precisely the kind of question that class action attorneys — who have already begun investigating the incident — are positioned to pursue.
The Register (March 10, 2026) reported that the breach illustrates how human susceptibility to phone-based deception frequently outweighs technical perimeter defenses.
The regulatory landscape around third-party breach notification remains inconsistent across U.S. jurisdictions. Federal law does not impose a universal breach notification deadline, leaving timeline obligations to a patchwork of state laws with varying requirements. Texas, for instance, requires notification to affected residents within 60 days of discovering a breach. California requires expedient notification without specifying a fixed deadline. Whether the vendor's April 28, 2025 detection triggered those state-level clocks — and whether compliance occurred within required windows — is a question regulators and attorneys may examine further.
There is also a more specific legal angle here. Law firms are not typically subject to HIPAA or financial sector data protection regulations, but they do operate under attorney-client privilege obligations and state bar rules governing the safeguarding of client data. ABA Rule of Professional Conduct 1.6 requires attorneys to maintain the confidentiality of information relating to the representation of a client — and bar ethics opinions, including ABA Formal Opinion 483 from 2018 and the New York City Bar's Formal Opinion 2024-3, have addressed law firms' duty to notify clients when a cybersecurity incident has compromised, or may have compromised, client confidential information. Several state bar ethics bodies, including Maine's Professional Ethics Commission, have interpreted their rules as requiring prompt notification to both current and former clients following a breach. Whether a six-month delay from detection to client notification is consistent with those obligations is a question the state bar and class action attorneys are both positioned to examine. A phishing-enabled breach of client records at a law firm may trigger professional responsibility inquiries entirely separate from the civil litigation track already underway.
Who Targets Law Firms This Way — And Why
No cybercrime group has publicly claimed the Ericsson breach. That silence is worth examining, not just noting. Groups that conduct financially motivated data theft from law firms often have a specific reason to stay quiet: public attribution invites law enforcement scrutiny, and targeted corporate data is more valuable when it can be leveraged in private negotiations rather than announced on a leak site.
The attack profile described in Ericsson's filings — a vishing call to a single employee, no malware, rapid data exfiltration through the access that social engineering enabled — matches a documented campaign pattern that the FBI formally warned the legal sector about in May 2025. The Silent Ransom Group, also tracked as Luna Moth, Chatty Spider, and UNC3753, has been systematically targeting U.S. law firms since Spring 2023 using exactly this approach: no ransomware, no encryption, just social engineering and data theft followed by extortion under threat of exposure. By March 2025 — one month before the Ericsson breach window opened — the FBI's Cyber Division documented that the group had evolved its tactics from callback phishing emails to direct vishing calls impersonating internal IT staff, a technique assessed as highly effective and difficult to detect with traditional security controls because it relies entirely on legitimate remote access software.
This does not mean Silent Ransom Group conducted the Ericsson law firm breach. Attribution has not been established, and no public claim has been made. What it does mean is that the Ericsson incident did not occur in a vacuum. It occurred inside an active, documented threat campaign specifically designed to breach law firms through exactly the method described here. Between 2025 and early 2026, Halcyon tracked over 200 ransomware and extortion incidents targeting the legal services sector. Silent Ransom Group alone claimed 24 legal organizations in 2025. The FBI warning arrived in May 2025 — weeks after the Ericsson law firm had already been hit.
A phishing email has properties that can be inspected and blocked: a sender address, URL patterns, attachment signatures, language heuristics. A vishing call has none of these. It arrives as a phone call. The security control that needs to work is the human at the other end.
The FBI's Silent Ransom Group advisory documented the group's evolution from callback phishing (sending an email that instructs the recipient to call a number) to direct vishing calls impersonating IT helpdesk staff. In the direct model, there is no email to flag, no link to sandbox, no attachment to detonate. The attacker calls, claims to be from IT, and asks the employee to open a remote access session. The technical footprint of the attack begins only after the employee complies.
Standard enterprise phishing simulations measure click-through rates on fabricated emails. They provide no training signal for this attack type. The simulation that would have prepared the breached employee for this call is a live phone scenario with someone attempting to impersonate IT staff — a training mode most firms outside regulated sectors have not adopted.
Law firms are targeted for reasons that are structural, not incidental. They hold sensitive data for corporations, individuals, and government entities under conditions that make them reluctant to disclose incidents publicly. Attorney-client privilege and reputational stakes create pressure to resolve breaches quietly. Many firms — particularly those outside the Am Law 100 — have historically lagged behind enterprise technology companies on cybersecurity maturity, incident response planning, and the kind of data governance controls that limit what a single compromised employee can expose. A threat actor who understands the legal sector knows all of this before dialing the first number.
The practical implication for any organization that shares sensitive data with outside legal counsel is direct: your law firm's security posture is part of your attack surface. The same data governance and vendor security requirements that apply to technology vendors and payroll processors should apply to the firms that handle your tax matters, employment disputes, and regulatory filings. The Ericsson incident is a case study in what happens when they do not.
This is not an isolated incident in Ericsson's recent security history. Understanding the March 2026 disclosure requires placing it alongside a significant third-party incident that affected the company's U.S. operations within the preceding twelve months.
In late August 2025, Ericsson Enterprise Wireless Solutions — the division that manages Cradlepoint networking products — notified customers of a separate breach involving Salesloft Drift, a CRM-integrated AI chat platform. In that incident, unauthorized actors accessed Ericsson Enterprise Wireless Solutions' Salesforce CRM instance through OAuth tokens stolen from Salesloft's Drift integration. The information exported included customer contact information, account data, and text from certain customer support cases.
The Salesloft breach was part of a far larger supply-chain campaign that Google's Threat Intelligence Group tracked under the designation UNC6395, which compromised Salesloft's Drift integration and used stolen OAuth tokens to pivot into the Salesforce instances of hundreds of downstream companies. Researchers at Mandiant documented that the data theft began as early as August 8 and ran through at least August 18, 2025, with approximately 700 Salesloft customers affected. The ShinyHunters extortion group publicly claimed responsibility, though security researchers noted the relationship between ShinyHunters and UNC6395 remained unconfirmed; Recorded Future analyst Alan Liska observed overlapping tools and techniques with Scattered Spider but stopped short of formal attribution. The FBI issued a flash alert on September 12, 2025 warning about the campaign.
Joshua Wright, Senior Technical Director at Counter Hack (June 2025), observed that this threat actor category had pivoted away from conventional privilege escalation toward attacking centralized identity and SSO infrastructure directly.
Two significant third-party disclosures within less than a year, affecting different vendors and exposing different categories of data, represent a pattern that security professionals and enterprise customers should regard carefully when evaluating vendor risk. The August 2025 Salesloft incident involved contact and CRM data at the Cradlepoint division. The March 2026 disclosure involves Social Security numbers and tax-related personal information at the core Ericsson Inc. level. They are distinct in both attack vector and data sensitivity, but together they illustrate the same structural exposure: Ericsson's data lives in environments it does not control, and those environments have been successfully targeted more than once.
What Ericsson Is Offering Affected Individuals
Ericsson is providing complimentary identity protection services through IDX to all individuals confirmed as affected by the breach. The package includes 12 months of credit monitoring across major bureaus, dark web monitoring, fully managed identity theft recovery services, and a $1 million identity fraud loss reimbursement policy.
The enrollment deadline for these services is June 9, 2026. Individuals who do not enroll before that date will forfeit access to the IDX services. Ericsson has also advised affected individuals to place fraud alerts or security freezes with the three major credit reporting agencies — Equifax, Experian, and TransUnion — and has provided contact information for those agencies in its notification letters, along with resources from the Federal Trade Commission.
There is a question the notification letter does not raise but affected individuals should consider: is twelve months enough? The data was accessed in April 2025. Notifications went out in March 2026. The IDX service window, starting from enrollment, runs approximately through mid-2027 at best. Tax and identity data is frequently held, traded, or sold on criminal markets for months or years before it is used. A threat actor who acquired Social Security numbers and tax records in April 2025 has no obligation to act within anyone's monitoring window. Affected individuals should treat the IDX service as a floor, not a ceiling. Credit freezes, which are free and permanent until lifted, provide protection that does not expire with a monitoring subscription. The IRS Identity Protection PIN, similarly, remains in force year to year and does not depend on a vendor's enrollment deadline.
Because the breach specifically involved a law firm handling tax matters, affected individuals should also consider placing an Identity Protection PIN with the IRS, which prevents someone else from filing a federal tax return using your Social Security number. The IRS IP PIN program is free and available at irs.gov. This step goes beyond what Ericsson's notification letter recommends and is particularly relevant given the confirmed scope of the data involved.
The vendor has reportedly added new security safeguards and supplemental staff training since the breach was confirmed, according to details included in Ericsson's regulatory disclosures. The specific nature of those safeguards has not been described publicly.
The Broader Implication: Vendor Risk Is Your Risk
Vishing and phishing are not new techniques. Threat actors have used phone-based and email-based social engineering to circumvent technical controls for years. What has changed is the sophistication, targeting, and frequency. Researchers have documented a marked increase in social engineering campaigns that impersonate IT support staff, HR departments, or executive offices with enough contextual detail to deceive trained employees. When law firms — which handle confidential data for corporations, governments, and individuals — become the target, the downstream exposure can be substantial and the attack surface is often less hardened than at larger enterprise technology vendors.
The Ericsson incident illustrates a structural vulnerability that technical controls alone cannot address: the human at the end of a phone call or email. Whatever perimeter defenses the law firm had in place did not matter once an employee was deceived into granting access. Password resets and outside forensic teams arrived only after the data was already gone.
For organizations that share sensitive employee data with third-party vendors — which includes virtually every enterprise at any scale — this incident reinforces several critical points that go well beyond generic security awareness programs.
Contractual obligations need teeth, not just language. Vendor contracts need to specify breach notification timelines with legally enforceable consequences for delay, including liquidated damages clauses triggered by late disclosure. A six-month notification window is not a compliance gap; at that scale, it is a contractual failure. Organizations that negotiate SLAs for uptime should be negotiating SLAs for breach notification with equal rigor. The contract should also define exactly what constitutes a reportable incident and require the vendor to notify upon detection of suspicious activity — not after an investigation is complete.
Social engineering scenarios must replace phishing simulations as the primary training model for third-party staff. Security awareness training at third parties has historically defaulted to click-rate metrics from simulated phishing emails. Vishing is a fundamentally different threat: it is live, adaptive, and exploits verbal authority rather than visual deception. Vendors handling sensitive data should be required to demonstrate that their employees undergo live-scenario vishing simulations and role-play exercises that include impersonation of IT helpdesk staff — precisely the scenario the FBI documented in the Silent Ransom Group advisory. A phishing email simulation passing rate does not indicate any readiness for this attack type.
Access architecture should be scoped to the actual work being performed. The core structural failure here was that a single compromised employee had access to files containing the personal data of thousands of people. That is not a training problem; it is an architecture problem. Data access at third-party vendors should be governed by role-based access controls tied to the minimum data set required for the specific work being done, with time-limited access tokens rather than persistent credentials. Files containing SSNs and tax records do not need to be accessible to every employee of a law firm because the firm handles tax matters. Access should require explicit authorization on a matter-by-matter basis, and access logs should be retained and reviewable by the client on request.
Vendor security assessments need to reach into the human layer, not just the technical stack. Standard vendor risk questionnaires and SOC 2 reports document controls at the infrastructure level. They say little about how staff are trained to handle unexpected calls from someone claiming to be IT, or whether the firm has a documented protocol for verifying the identity of a caller before granting remote access. Organizations should include social engineering scenario response procedures as an explicit line item in vendor assessments, particularly for vendors in the legal and professional services sector where technical security maturity often lags the volume and sensitivity of data handled.
Data minimization is a structural control that limits blast radius. If Ericsson's tax firm did not need to retain copies of employee Social Security numbers and tax records beyond the immediate period of active work, those records should not have been sitting in accessible storage at the time of the breach. Data retention policies at third-party vendors should mirror those of the contracting organization, and organizations should verify through periodic audits that vendors are actually deleting or archiving data they no longer need rather than retaining it indefinitely. A breach of a law firm that holds five years of client tax records is categorically more damaging than a breach of a firm that deletes records ninety days after a matter closes.
For the legal sector specifically, professional liability insurance requirements should include a breach notification SLA. Law firms typically carry professional liability (malpractice) coverage. Organizations that share sensitive data with outside counsel should require evidence that those policies cover cybersecurity incidents and include coverage for breach response costs and client notification. More importantly, they should negotiate into their engagement letters a notification obligation that is shorter than whatever the law firm's insurance carrier recommends. Insurance counsel and professional responsibility counsel will often advise caution and investigation completeness before notifying a client; the client's engagement letter should specify a timeline that runs on detection, not on investigation completion.
James Neilson, SVP of Global at OPSWAT, commented publicly on the incident, noting that it underscores the growing threat to telecom providers and the need for robust vendor security protocols across high-risk sectors. Telecoms present a particularly concentrated risk profile: they handle large quantities of personal data for both business customers and individual consumers, they operate through extensive networks of third-party vendors and contractors, and the trust placed in them by their customers and employees is correspondingly high.
James Neilson, SVP of Global at OPSWAT (Cyber Magazine, March 2026), warned that even unconfirmed misuse of stolen data creates serious downstream risk, with breaches of this type inevitably raising concerns around identity theft and fraud.
In its March 2026 notification letters to affected individuals, Ericsson stated that its service provider had found no evidence of misuse of potentially affected information as of the time of disclosure.
That statement, while technically accurate as of the time of disclosure, offers limited reassurance. Tax data and Social Security numbers together are enough for a threat actor to file false federal tax returns, open fraudulent financial accounts, or commit employment identity fraud. The fact that misuse has not been confirmed does not mean the data has not been sold or staged for use. Affected individuals should take protective action regardless of whether they have seen immediate suspicious activity, with particular attention to their IRS tax filing history.
Key Takeaways
- The attack vector was social engineering, not a technical exploit. A vishing or phishing attack targeting a single employee at a law firm was sufficient to access files containing the personal data of 15,661 Ericsson employees. Technical security controls did not stop it.
- The vendor was a law firm handling Ericsson's U.S. tax matters. This detail, confirmed by Ericsson directly to 5GStore, was absent from most published coverage. It is material because it shapes both the specific data at risk and the legal accountability questions that follow.
- The data involved is employee tax information, primarily including Social Security numbers. The broader data categories listed in some AG filings reflect the full inventory of data types across all companies whose records resided with the same vendor. The confirmed scope specific to Ericsson is narrower, but still dangerous. Tax data plus SSNs is a complete toolkit for tax fraud and identity theft.
- The notification gap of nearly eleven months is operationally significant. Employees could not protect themselves during a window when their data was potentially being sold or used. The vendor's six-month delay in notifying Ericsson is the central accountability question, and it may carry professional responsibility implications under state bar ethics rules governing the safeguarding of client data.
- This breach fits a documented threat pattern targeting U.S. law firms. The FBI warned specifically about vishing campaigns against legal sector organizations in May 2025, one month after the Ericsson breach window. The attack method, the target type, and the absence of any public claim are all consistent with known threat actor behavior in the legal sector. No attribution has been made, but the incident did not happen in isolation.
- This is Ericsson's second significant third-party exposure in under a year. The August 2025 Salesloft/Drift incident and the March 2026 law firm disclosure together represent a pattern of third-party risk that Ericsson's enterprise customers and employees should take into account.
- If you received a notification letter, act before June 9, 2026 — but do not stop there. Enroll in IDX, freeze your credit with all three major bureaus, and get an IRS Identity Protection PIN to guard against fraudulent tax filing. Twelve months of monitoring does not cover the full window of risk for data stolen in April 2025. Credit freezes and an IRS IP PIN are permanent protections that do not expire with a vendor's enrollment deadline.
As of press time, no threat actor has claimed the breach, Ericsson has declined to comment beyond its notification letters, and the identity of the law firm involved remains undisclosed. Class action attorneys have begun investigating the incident on behalf of affected individuals.
Sources
BleepingComputer — Ericsson US discloses data breach after service provider hack
The Register — Ericsson breach blamed on third party vendor vishing attack
SecurityWeek — Thousands Affected by Ericsson Data Breach
Infosecurity Magazine — Ericsson Breach Exposes Data of 15k Employees and Customers
TechRadar — Ericsson US reveals employee and customer data breach after third-party hack
Security Affairs — Ericsson US confirms breach after third-party provider attack
SC Media — Ericsson data breach exposes employee and customer information
ClassAction.org — Ericsson Data Breach Compromises SSNs; Lawyers Investigating
ClaimDepot — Ericsson Inc Data Breach Affects Over 4k: PHI and PII Exposed
5GStore — Ericsson U.S. Data Breach: Corrected — Employee Tax Data Only, No Customer Impact (corrected post, based on direct communication from Ericsson)
Ericsson/Cradlepoint — Salesloft Drift data breach: Key details for Ericsson Enterprise Wireless Solutions customers
Krebs on Security — The Ongoing Fallout from a Breach at AI Chatbot Maker Salesloft
Cyber Magazine — Ericsson Data Breach Exposes Third-Party Service Risks (includes James Neilson / OPSWAT quote)
FBI Cyber Division — Silent Ransom Group Targeting Law Firms (May 23, 2025)
Halcyon — INC Ransom Group Mounts Rapid Campaign Against Law Firms (includes 2025–2026 legal sector tracking data)
NYC Bar — Formal Opinion 2024-3: Ethical Obligations Relating to a Cybersecurity Incident