The company had earlier disclosed that its corporate IT infrastructure had been compromised by hackers. The cyber extortion group ShinyHunters later claimed responsibility for the attack, alleging it had obtained around 9 million records containing personally identifiable information (PII) and internal corporate data.
According to the notification shared by the company, “On April 15, 2026, Medtronic became aware of unusual activity on certain corporate IT systems.”
The notice further states, “Medtronic launched an investigation with the assistance of leading third-party cybersecurity experts to determine the impact and scope of the incident.”
Following the investigation, the company concluded that “The investigation determined that from April 13 to April 19, 2026, an unauthorized actor accessed certain Medtronic corporate IT systems.”
The information that may have been exposed includes:
Full name
Contact information
Date of birth
Social Security number
Health-related information
ShinyHunters is known for publishing stolen information when ransom demands are not met. The group reportedly added Medtronic to its dark web leak site on April 18, claiming it possessed more than 9 million records and warning that the data would be released if a ransom was not paid by April 21.
However, the listing disappeared from the group's portal later that month. In its customer notification, Medtronic clarified that the compromised data has not been made publicly available online.
Medtronic operates in over 150 countries and employs approximately 95,000 people, generating annual revenue of around $33.5 billion.
Despite the breach involving customer information, the company has reassured users that its medical devices continue to operate safely and were not impacted by the cybersecurity incident.
Customers receiving breach notifications are being encouraged to enroll in the company's complimentary 24-month credit monitoring and identity theft protection program to reduce potential risks.
The company has also advised affected individuals to stay alert for suspicious emails, messages, or calls that could exploit the exposed information for phishing, social engineering, or other fraudulent activities. Customers are also encouraged to regularly review their account activity for any signs of unauthorized access.
The attack leveraged CVE-2026-35273, a critical vulnerability with a CVSS score of 9.8. The flaw exists in the Updates Environment Management (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62. It allows attackers to move from an unauthenticated Server-Side Request Forgery (SSRF) attack to full Remote Code Execution (RCE) without requiring user interaction or authentication. Because the vulnerability can be exploited over standard HTTP, any exposed and unpatched server is at significant risk.
Oracle released an emergency security update on June 10, 2026, to address the flaw. Two days later, the vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation.
According to security researchers at Mandiant and Google’s Threat Intelligence Group (GTIG), the ShinyHunters group began exploiting the vulnerability as early as May 27, 2026—more than two weeks before Oracle publicly disclosed the issue. During that period, attackers reportedly compromised more than 300 Oracle PeopleSoft instances across over 100 organizations using automated attack tools.
Breach notifications submitted to the California Attorney General’s Office revealed that Nissan Americas was among the organizations impacted during the wider campaign. The company's investigation found that the intrusion occurred between May 27 and June 9, 2026.
The compromised information may include employee contact details, banking information, Social Security Numbers (SSN), Social Insurance Numbers (SIN), National Identification Numbers, financial and tax records, as well as dependent and beneficiary information. The incident affects both current and former employees in the U.S., Canada, Mexico, and Brazil.
Following the discovery of the breach, Nissan activated its incident response procedures, brought in external cybersecurity experts, and coordinated with law enforcement agencies. As part of its containment measures, the company limited payroll system access, allowing employees to view pay slips and modify direct deposit details only through corporate network computers or secure VPN connections. Additional identity verification measures have also been introduced for payroll-related requests. Nissan said it is providing complimentary credit monitoring and dark web monitoring services to eligible affected individuals.
Mandiant's investigation found that attackers installed MeshCentral remote management agents on compromised systems while disguising them as legitimate Microsoft Azure services, including meshagent64-azure-ops.exe. Command-and-control communications were routed through wss://azurenetfiles[.]net:443/agent.ashx.
The attackers also carried out post-compromise activities such as reviewing PeopleSoft configurations, moving laterally across networks, and compressing stolen data using zstd before exfiltration. Infected servers were left with a ransom note named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.
Cybersecurity firms Rapid7 and Mandiant have urged organizations running Oracle PeopleTools 8.61 or 8.62 to immediately apply Oracle’s security updates. They also recommend disabling or restricting access to the PSEMHUB service, blocking external access to /PSEMHUB/* and /PSIGW/HttpListeningConnector, monitoring outbound SMB traffic for potential NetNTLM hash capture attempts, investigating systems for signs of compromise even after patching, and rotating credentials that may have been exposed.
The incident represents the second major Oracle ERP zero-day vulnerability with a CVSS score of 9.8 to be actively exploited in less than eight months. It follows the exploitation of CVE-2025-61882 in Oracle E-Business Suite by the Cl0p ransomware group in 2025, highlighting the growing focus of organized cybercriminal groups on enterprise resource planning (ERP) platforms.
Canadian outsourcing and digital services firm Telus Digital has confirmed that it experienced a cybersecurity incident after threat actors alleged they had extracted an enormous volume of data, estimated at nearly one petabyte, over a prolonged period of unauthorized access.
Telus Digital operates as the outsourcing and digital solutions division of Telus. The company provides services such as customer support, content moderation, artificial intelligence data operations, and other business process outsourcing functions to organizations around the world. Because firms in this sector often manage customer interactions, billing systems, and internal authentication tools on behalf of multiple clients, they are frequently targeted by attackers aiming to gain access to large datasets through a single compromise.
The breach has been linked to a threat group known as ShinyHunters, which claims it obtained a wide range of customer-related data connected to Telus Digital’s outsourcing services, along with call records tied to Telus’ consumer telecommunications operations.
Reports about a possible breach had surfaced earlier this year, and inquiries were made to the company at the time, though no response was received then. Telus has now acknowledged the incident, stating that it is investigating what information may have been accessed and which customers could be affected.
In its official statement, the company said unauthorized access was identified in a limited number of systems. It added that immediate steps were taken to contain the activity and prevent further intrusion. Telus also stated that its operations remain fully functional, with no evidence of disruption to customer connectivity or services. The company confirmed that external cyber forensics specialists have been engaged and that law enforcement authorities are involved. It further noted that additional safeguards have been implemented and that affected customers will be notified where appropriate.
Sources indicated that the attackers attempted to extort the company, but Telus did not engage in communication with them.
Attack Method and Data Exposure Claims
After learning that the company was not negotiating, the attackers were contacted for further details regarding the incident.
According to their claims, the intrusion began with access to Google Cloud Platform credentials that were previously exposed in data linked to the Salesloft Drift breach. In that earlier incident, attackers extracted Salesforce data belonging to approximately 760 organizations, including customer support tickets. These records were then examined to locate credentials, authentication tokens, and other sensitive information, which could be reused to access additional systems.
The threat actors stated that they identified credentials associated with Telus within that dataset. These credentials allegedly enabled them to access multiple internal systems, including a large BigQuery data environment. After extracting initial data, they reportedly used the tool trufflehog to scan for further secrets, allowing them to expand their access into additional parts of the company’s infrastructure.
The group claims that the total amount of data taken is close to one petabyte, though this figure has not been independently verified. They also shared the names of 28 well-known companies that they allege were affected. However, these claims have not been confirmed, and the identities of those organizations remain undisclosed.
The data described by the attackers covers a wide range of business operations. This includes information related to customer support services, call center activities, agent performance metrics, AI-powered support systems, fraud detection mechanisms, and content moderation processes. In addition, they claim to have accessed source code, financial records, Salesforce data, background verification documents, and recordings of customer service calls.
The breach is also said to affect Telus’ telecommunications operations, particularly its consumer fixed-line services. The allegedly exposed data includes detailed call logs, voice recordings, and campaign-related information. Samples of these call records reportedly contain timestamps, call durations, originating and receiving numbers, and technical metadata such as call quality indicators.
Overall, the nature of the exposed data appears to vary significantly depending on the organization, indicating that multiple business functions across different clients may have been impacted.
The attackers stated that they began extortion attempts in February, demanding $65 million in exchange for not releasing the stolen data. The company did not respond to these demands.
Telus has indicated that further updates may be provided as its investigation progresses.
Who Are ShinyHunters
The name ShinyHunters has been associated with various individuals and cyber incidents over time, but the group currently operating under this identity has emerged as one of the more active data extortion actors in recent months. Their operations have largely focused on compromising cloud-based platforms, particularly those connected to enterprise software ecosystems.
The group has been linked to incidents involving major organizations such as Google, Cisco, and Match Group, among others.
More recently, their tactics have expanded to include voice phishing, or vishing, attacks. In these cases, employees are contacted by individuals posing as IT support staff and are persuaded to reveal login credentials or multi-factor authentication codes through fraudulent websites. The group has also been observed using device code phishing techniques to obtain authentication tokens linked to identity platforms such as Microsoft Entra.
Once valid credentials and authentication codes are obtained, attackers can take control of single sign-on accounts and gain access to interconnected enterprise services, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.
Security Implications
This incident reflects a broader trend in which attackers reuse previously stolen data to launch new intrusions. It also highlights the elevated risk associated with outsourcing providers that centralize sensitive operations for multiple organizations.
Cybersecurity experts increasingly note that modern attacks often occur in stages, where one breach creates opportunities for subsequent compromises. As businesses continue to rely on cloud platforms and third-party service providers, the potential scale and impact of such incidents continue to grow.
The situation is currently under investigation, and additional verified details are expected as more information surfaces.
The cybersecurity breach at enterprise software provider Red Hat has intensified after the hacking collective known as ShinyHunters joined an ongoing extortion attempt initially launched by another group called Crimson Collective.
Last week, Crimson Collective claimed responsibility for infiltrating Red Hat’s internal GitLab environment, alleging the theft of nearly 570GB of compressed data from around 28,000 repositories. The stolen files reportedly include over 800 Customer Engagement Reports (CERs), which often contain detailed insights into client systems, networks, and infrastructures.
Red Hat later confirmed that the affected system was a GitLab instance used exclusively by Red Hat Consulting for managing client engagements. The company stated that the breach did not impact its broader product or enterprise environments and that it has isolated the compromised system while continuing its investigation.
The situation escalated when the ShinyHunters group appeared to collaborate with Crimson Collective. A new listing targeting Red Hat was published on the recently launched ShinyHunters data leak portal, threatening to publicly release the stolen data if the company failed to negotiate a ransom by October 10.
As part of their extortion campaign, the attackers published samples of the stolen CERs that allegedly reference organizations such as banks, technology firms, and government agencies. However, these claims remain unverified, and Red Hat has not yet issued a response regarding this new development.
Cybersecurity researchers note that ShinyHunters has increasingly been linked to what they describe as an extortion-as-a-service model. In such operations, the group partners with other cybercriminals to manage extortion campaigns in exchange for a percentage of the ransom. The same tactic has reportedly been seen in recent incidents involving multiple corporations, where different attackers used the ShinyHunters name to pressure victims.
Experts warn that if the leaked CERs are genuine, they could expose critical technical data, potentially increasing risks for Red Hat’s clients. Organizations mentioned in the samples are advised to review their system configurations, reset credentials, and closely monitor for unusual activity until further confirmation is available.
This incident underscores the growing trend of collaborative cyber extortion, where data brokers, ransomware operators, and leak-site administrators coordinate efforts to maximize pressure on corporate victims. Investigations into the Red Hat breach remain ongoing, and updates will depend on official statements from the company and law enforcement agencies.