Ericsson U.S. Unit Discloses Vendor Breach That Exposed Employee and Customer Data

Ericsson's U.S. subsidiary filed breach notification letters with California and Texas state authorities on Monday, disclosing that an unnamed third-party service provider suffered a security incident last spring that may have exposed personal information belonging to some Ericsson employees and customers.

According to Ericsson's notification, a limited subset of files may have been accessed or acquired without authorization between April 17 and April 22, 2025. The service provider did not detect the suspicious activity until nearly a week later. "On April 28, 2025, our service provider became aware of a suspicious event that may have involved potential unauthorized access to certain data on their system," Ericsson wrote in its letter to affected employees and customers, which was also posted on the California Department of Justice website.

The company said the vendor moved swiftly once the incident came to light. "It promptly initiated an investigation with the assistance of external cybersecurity specialists. It also notified the Federal Bureau of Investigation and implemented measures to enhance security and minimize the risk of a similar incident occurring in the future," Ericsson's letter stated.

Ericsson was direct in telling reporters where responsibility lay. In an email response, the company wrote that it was not Ericsson that was breached, but instead a vendor of the company's that was actually breached. The company did not identify the service provider or describe the vendor's role in its operations.

Despite the roughly ten-month gap between the incident and the formal state notifications filed March 9, 2026, Ericsson said investigators have so far found no evidence that the potentially exposed data has been misused. The company did not specify what categories of personal information were at risk, how many individuals received notification letters, or what remediation, such as credit monitoring or identity protection services, may have been offered to those affected.

The disclosure arrives against a backdrop of surging third-party cyber risk across the corporate world. Survey data cited in industry reporting found that 98 percent of organizations said at least one of their third-party vendors had suffered a data breach, and there were 3,205 publicly reported data compromises in 2023 alone, a 78 percent increase over the prior year. The Ericsson incident follows a well-worn pattern: a primary organization with strong internal security posture finds its exposure rooted in a supplier or service partner rather than its own network.

The consequences for companies that fail to adequately secure vendor relationships can be severe. Marriott International was fined £18.4 million by the UK's Information Commissioner's Office after a breach originating in the Starwood reservation system exposed hundreds of millions of customer records, illustrating how regulators increasingly hold parent companies accountable for vendor vulnerabilities.

Ericsson did not provide additional details by press time. Outstanding questions include the identity of the breached vendor, the specific categories of data potentially exposed, the precise number of individuals notified, and the technical method used to gain unauthorized access. State filings with California and Texas regulators dated March 9, 2026 are the most immediate source likely to contain further specifics.