>samit_hota
Back to advisories
SH-2026-149HighOpen

Abbott Laboratories Investigates Two Separate Cyber Incidents

Samit Hota·
CVE ID
N/A
CVSS Score
N/A
Affected Products
Abbott Laboratories (legacy Exact Sciences systems, LabCentral customer portal), Exact Sciences, LabCentral customers
#news#abbott

Overview

Abbott Laboratories, a global healthcare company specializing in medical devices and diagnostics, is currently investigating two separate cybersecurity incidents that have impacted different facets of its operations. The first incident involves unauthorized access to internal legacy Exact Sciences systems within its Cancer Diagnostics business, with the ShinyHunters extortion gang claiming responsibility. The second incident concerns a claimed breach of Abbott’s LabCentral customer portal by a threat actor named ShadowByt3$. Both incidents were reported on July 17, 2026, and underscore the persistent and multifaceted cyber threats facing the healthcare sector.

Technical Details

The incident involving Abbott’s legacy Exact Sciences systems was brought to light when the ShinyHunters extortion group added Abbott to its data leak site. ShinyHunters initially threatened to publish allegedly stolen data after July 18, 2026, but later extended this deadline to July 21, 2026, indicating a potential negotiation period. Abbott confirmed unauthorized access to these systems and stated that the legacy Exact Sciences systems are separate from Abbott’s other businesses and systems. ShinyHunters reportedly gained access through a vishing attack targeting several Abbott employees in mid-June. This social engineering tactic allowed them to compromise a Microsoft Entra single sign-on (SSO) account, subsequently granting access to internal systems. The threat actor claims to have stolen over 30 million rows of customer personally identifiable information (PII), including names, email addresses, phone numbers, physical addresses, dates of birth, and more than one million Social Security numbers. Additionally, they claim to have exfiltrated over 22 million client notes containing doctor-patient conversations and more than 20 million medical orders, along with customer agreements and NDAs.

The second incident involves a threat actor known as ShadowByt3$, who claimed to have breached Abbott’s Core Laboratory diagnostics business through its LabCentral customer portal. ShadowByt3$ alleged that they gained access on July 4, 2026, using compromised customer credentials and exploiting a “weak point” in the environment. They reportedly exfiltrated files by targeting API endpoints.

Real-World Impact

The potential impact of these dual breaches on Abbott Laboratories and its customers is significant. For the Exact Sciences breach, if ShinyHunters’ claims are accurate, the exposure of such a vast quantity of highly sensitive PII, including Social Security numbers, medical orders, and doctor-patient conversations, could lead to widespread identity theft, financial fraud, and privacy violations for millions of individuals. The compromise of legacy systems also highlights the challenges organizations face in securing older infrastructure. The LabCentral incident, if confirmed, could expose sensitive customer data and disrupt critical diagnostic services, undermining trust in Abbott’s digital platforms. The healthcare sector is particularly vulnerable due to the immense value and sensitivity of patient data, making it a prime target for financially motivated cybercriminals.

Threat Landscape

These incidents are indicative of the current sophisticated threat landscape. ShinyHunters is a known extortion group that has been active since last year, frequently employing social engineering campaigns, including vishing, to compromise corporate SSO accounts (Microsoft Entra, Okta, Google). Once they gain access, they target connected SaaS applications like Salesforce to exfiltrate large volumes of data for extortion purposes. The alleged use of a Microsoft-signed kernel driver to disable endpoint detection and response (EDR) agents before ransomware deployment, as seen in the “GodDamn Ransomware” campaign, also illustrates the advanced tactics being adopted by threat actors. This highlights a trend where attackers increasingly focus on bypassing security controls at the lowest possible level to ensure successful data exfiltration and encryption. The healthcare industry remains a top target due to the critical nature of its services and the sensitive data it handles, making it susceptible to both data theft and operational disruption.

Remediation

Abbott Laboratories has activated its incident response procedures, engaged cybersecurity experts, and notified law enforcement. While Abbott does not expect the incident to have a material impact on its business or financial results, affected individuals and organizations should take proactive steps:

  1. Monitor Accounts: Individuals whose data may have been compromised should closely monitor their financial accounts, credit reports, and medical statements for any suspicious activity.
  2. Password Hygiene: LabCentral customers should immediately change their passwords, especially if they reuse credentials across multiple services. Multi-factor authentication (MFA) should be enabled wherever possible.
  3. Security Awareness Training: Organizations should reinforce security awareness training for employees, focusing on social engineering tactics like vishing, to prevent the compromise of SSO accounts.
  4. Isolate and Segment Legacy Systems: Ensure that legacy systems are adequately isolated and segmented from core business operations to limit the blast radius of any potential breaches.
  5. Review and Harden APIs: For organizations managing customer portals, thorough security reviews and hardening of API endpoints are crucial to prevent data exfiltration via these vectors.
  6. Incident Response Planning: Regular testing and updating of incident response plans are essential to ensure rapid and effective mitigation during a cyberattack.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call