Medtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment
From CTI Daily Brief — 2026-07-03 · published 2026-07-03 · view item permalink →
Medical-device manufacturer Medtronic began notifying customers on 2026-07-02 of a breach the ShinyHunters extortion group first claimed in April. Medtronic's investigation found an unauthorized actor accessed certain corporate IT systems between 2026-04-13 and 2026-04-19 after unusual activity was noticed on 2026-04-15; ShinyHunters listed the company on its leak portal on 2026-04-18 claiming ~9 million records (names, contact details, dates of birth, Social Security numbers, health-related information) and later pulled the entry — consistent with the group's pattern after a ransom is paid (BleepingComputer, 2026-07-02). Medtronic states it found "no evidence" the data was published, and that the compromised corporate systems were segregated from device-operating networks so therapy delivery was unaffected (The Register, 2026-07-02). No initial-access vector is disclosed. This is the same ShinyHunters cluster behind the recent Salesforce/PeopleSoft-adjacent extortion wave (Nissan, NAIC — see prior coverage), but a corporate-IT compromise rather than the SaaS-integration pattern seen elsewhere; the source does not confirm shared tradecraft.
Defender takeaway: a delisted extortion-portal entry is not proof of data destruction — treat any listed-then-delisted victim as presumptively breached and monitor for downstream credential-stuffing and DOB/PII-driven targeted phishing regardless of ransom outcome. The 2.5-month detection-to-notification gap is worth benchmarking against your own breach-notification SLAs.