Abbott Laboratories Investigates Two Separate Cyber Incidents Amid Extortion Claims
Abbott Laboratories is probing two distinct cybersecurity incidents, one involving unauthorized access to legacy Exact Sciences systems and another concerning a breach of its LabCentral portal, with threat actors claiming data theft.

Abbott Laboratories is currently investigating two separate cybersecurity incidents that have emerged concurrently. The first incident involves unauthorized access to internal legacy systems within its Cancer Diagnostics business, specifically those inherited from Exact Sciences. The second, unrelated incident concerns a claimed breach of Abbott's LabCentral customer portal, with threat actors asserting they have exfiltrated company data.
The Cancer Diagnostics incident came to light after the extortion group ShinyHunters listed Abbott on its data leak site, initially threatening to publish stolen data by July 18th, later extending the deadline to July 21st. Abbott confirmed the unauthorized access, stating that it was limited to a "limited number of internal systems in our Cancer Diagnostics business only." The company emphasized that this incident does not impact any business operations, product availability, manufacturing, or its ability to serve patients, and that the legacy Exact Sciences systems are separate from Abbott's core infrastructure.
Abbott has activated its incident response protocols, engaged external cybersecurity experts, and notified law enforcement agencies regarding the Cancer Diagnostics breach. The company anticipates no material impact on its business or financial results from this incident. ShinyHunters claims to have gained access through a vishing attack targeting Abbott employees in mid-June, which compromised a Microsoft Entra single sign-on (SSO) account, enabling access to internal systems and connected SaaS applications.
ShinyHunters alleges that it exfiltrated data from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa, including internal documents, contracts, and customer information. The group further claims to have stolen over 30 million rows of customer personally identifiable information (PII), including names, email addresses, phone numbers, physical addresses, dates of birth, and over a million Social Security numbers. Additionally, they claim to have obtained over 22 million client notes containing doctor-patient conversations and over 20 million medical orders, though BleepingComputer has not independently verified these claims.
The second incident involves a threat actor known as ShadowByt3$, who claims to have breached Abbott's Core Laboratory diagnostics business through its LabCentral customer portal. ShadowByt3$ alleges they gained access on July 4th using compromised customer credentials and exploited API endpoints to exfiltrate files. The threat actor claims the stolen data includes CE manufacturing certificates, operation manuals, technical specifications, regulatory documentation, and other product-related information, but asserts that no customer data was compromised.
Abbott acknowledged awareness of this "potential" cyber incident but disputed the nature of the data claimed to be stolen. The company stated that LabCentral is an externally facing, third-party hosted portal containing publicly available technical product reference documents, such as operating manuals and specifications, and does not house sensitive customer or business information. Neither ShinyHunters nor ShadowByt3$ has publicly released any data they claim to have stolen from Abbott as of this report.
These incidents highlight the persistent threats faced by large healthcare and diagnostics companies, with threat actors employing sophisticated social engineering tactics and exploiting various access points. The dual nature of the attacks, involving both internal system compromise and customer portal breaches, underscores the need for comprehensive security strategies across all facets of an organization's digital footprint.