Overview
- Ribbon said unauthorized access likely began in December 2024 and was discovered in early September 2025 after months of undetected activity.
- Attackers viewed four older customer files stored on two laptops outside the main network, and three smaller affected customers have been notified.
- The company reports no evidence that customer systems were reached or that material information was taken, and it is unaware of any impact to government clients.
- Multiple third-party cybersecurity firms and federal law enforcement are assisting, and Ribbon believes it has terminated the intruders' access and strengthened defenses.
- Analysts cite similarities to earlier telecom espionage campaigns such as China-linked Salt Typhoon, but Ribbon has not assigned attribution and expects only non-material investigation and remediation costs.