Abbott confirms a Cancer Diagnostics cyber incident; ShinyHunters claims a vished Entra SSO account and 30M+ records
Abbott Laboratories is investigating a cyber incident and states there was "unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only," adding that there is "no impact to any other Abbott businesses, sites or systems" and that the legacy Exact Sciences systems (Exact Sciences was folded into Abbott's diagnostics business in a 2026 acquisition) remain separate from Abbott's core infrastructure (Abbott, 2026-07-16). Abbott has not named an actor, confirmed a method, or disclosed what kind of information was accessed (MedTech Dive, 2026-07-17).
The ShinyHunters extortion group (registry-tracked, alias UNC6240) claims responsibility, saying the intrusion began with a vishing (voice-phishing) attack targeting several Abbott employees that compromised a Microsoft Entra ID single-sign-on account, which was then used to "exfiltrate data from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa" — the actor's leak-site posting claims more than 30 million customer records, medical notes and orders, and set a leak deadline it later pushed to 21 July (BleepingComputer, 2026-07-17). A second, separate claim by an actor calling itself "ShadowByt3\$" alleges compromise of an externally facing LabCentral portal, which BleepingComputer reports houses publicly available technical product reference documents and does not contain proprietary or sensitive customer or business information (BleepingComputer, 2026-07-17). The record counts and the specific SaaS platforms are the actor's unverified claim, not Abbott's confirmation.
Abbott is investigating a cyber incident in which there was unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only.
ShinyHunters claimed it exfiltrated data from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa, including internal documents, contracts, and customer information.
ATT&CK mapping
3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1078.004Valid Accounts: Cloud Accounts
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
T1566.004Phishing: Spearphishing Voice
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
Persistence TA0003
T1078.004Valid Accounts: Cloud Accounts
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
Privilege Escalation TA0004
T1078.004Valid Accounts: Cloud Accounts
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
Stealth TA0005
T1078.004Valid Accounts: Cloud Accounts
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
Collection TA0009
T1530Data from Cloud Storage
Adversaries may access data from cloud storage.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.