A Swedish telecommunications giant with decades of experience managing global infrastructure found itself exposed not by sophisticated code exploits or zero-day vulnerabilities, but by a phone call. In April 2025, attackers targeted a single employee at an unnamed third-party vendor supporting Ericsson's US operations through a vishing attack, ultimately compromising the personal data of over 15,000 individuals.
The vendor discovered the breach on April 28, 2025, after spotting what it described as a "vishing" incident involving social engineering carried out over the phone, with attackers potentially accessing data between April 17 and April 22. Yet the company did not immediately notify its customer. Ericsson Inc, the US arm of the Swedish networking and telecoms giant, did not hear about the incident until months later, when the service provider notified Ericsson on November 10, 2025. That nearly seven-month gap underscores a fundamental challenge in the modern supply chain: companies often have little visibility into the security incidents affecting their service providers.
The scale of what was compromised raises legitimate concerns about the adequacy of vendor risk management. Maine's attorney general received a disclosure covering names and Social Security numbers, while Texas regulators received a broader picture showing that 4,377 Texas individuals affected may have had names, addresses, Social Security numbers, driver's licence numbers, government-issued IDs, financial information, medical information, and dates of birth compromised. That variation in disclosures reveals another problem: opacity. Companies often cannot determine the full scope of what was actually exposed without reading multiple state filings.
The incident exemplifies a troubling trend. Social engineering is accelerating in 2026, with attackers shifting from malware to manipulating people through voice calls, phishing emails, and AI-powered deception, with enterprise vishing campaigns stealing SSO and MFA credentials to global cyberespionage operations and large-scale breaches triggered by a single employee interaction. Unlike traditional cyberattacks, vishing relies on persuasion, authority, and urgency; no firewall can block a well-crafted phone call.
The economic case for addressing this vulnerability is compelling. 59% of organisations have experienced a data breach caused by a third party or supply chain partner, with the average cost of a data breach involving third-party vendors reaching $4.76 million, which is more than 10 percent higher than the global average breach cost. Yet 51% of organisations do not have a comprehensive inventory of all third parties handling their data, which leaves glaring blind spots in risk management.
Ericsson and its vendor did take steps after discovery: affected individuals are being offered 12 months of credit monitoring, and the vendor involved has added new safeguards and extra staff training since the breach. But these are reactive measures. The question facing every large organisation is whether their due diligence on vendors goes deep enough, and whether the security expectations in vendor contracts are enforced or merely aspirational.
The Ericsson case does not suggest the company was negligent. Rather, it demonstrates that good security posture at the primary organisation offers limited protection when service providers face minimal regulatory pressure and inconsistent security standards. 62% of organisations say that less than half of the vendors in their supply chain ecosystem meet their company's cybersecurity requirements. For many businesses, the gap between what they demand of vendors and what vendors actually deliver remains a structural weakness no amount of internal vigilance can overcome.
Until organisations move beyond passive vendor assessments and toward continuous monitoring, breach notification timelines improve, and vishing awareness training becomes as routine as password resets, incidents like Ericsson's will remain predictable consequences of how supply chains are actually managed rather than how they ought to be.