Abbott probes two cyber incidents amid extortion claims
Two separate breaches highlight systemic security resilience challenges requiring immediate focus.
The headline is about two breaches at Abbott Labs, but the real lesson is about what happens when your incident response plan has to run in two directions at once. This is where security programs actually break.
What happened
Abbott Laboratories is dealing with two separate security incidents.
First, they confirmed someone got into legacy systems connected to their Exact Sciences Cancer Diagnostics business. This looks like a classic problem with inherited infrastructure from an acquisition.
At the same time, a different group of attackers claims they breached Abbott’s LabCentral portal and stole data, which they’re now using for extortion. Abbott is still investigating this second claim.
What people will get wrong
The easy, and wrong, takeaway is to see this as two unrelated technical failures. One take is “patch your legacy systems,” and the other is “secure your web portals.” Both are true, but that’s not the useful part of the story.
The real problem isn’t the two vulnerabilities; it’s the two simultaneous responses. You don’t have two CISOs, two legal teams, or two communications departments. Running two full-blown incident responses at the same time is a capacity and process problem, not just a technical one.
This is a resource contention problem
That sounds simple, but it’s where programs fall apart. Your incident response plan probably assumes a single, major event. But what happens when you have to split your A-team to handle two completely different situations?
One incident is a confirmed, smoldering breach on an old internal asset. The playbook for that is about containment, forensics, and remediation. The other is a loud, public extortion attempt based on an unverified claim. That playbook is about crisis communications, negotiation strategy, and validating attacker claims.
These are not the same fire. They require different skills, different tempos, and different external messages. The risk isn’t just that one of the technical responses will fail. The risk is that the leadership team gets overwhelmed, communications get crossed, and decision-making quality degrades across the board.
This is especially true with the M&A angle. The breach on the legacy system is a story we’ve seen a hundred times. If nobody properly owns the asset after an acquisition, nobody owns the risk. The dashboard is not the control. You can’t manage a system you don’t have clear ownership over, and you can’t respond effectively to a breach on an island.
What’s the next step?
This is less about panic and more about verification. The question isn’t “are we vulnerable to what hit Abbott?” but “could we handle both of these incidents at the same time?”
Use this as a prompt for a tabletop exercise. Don’t just war-game a generic breach. War-game a confirmed internal incident on a forgotten asset and a simultaneous, public extortion campaign.
Who leads each effort? How does the executive team get clear, unconfused updates? Can you prove you have the right telemetry and ownership records to even begin investigating both? The real failure mode is usually boring, and in this case, it would be the chaos of trying to do two things at once without a plan for it.
Source: Abbott probes two cyber incidents amid extortion claims