Ribbon Communications disclosed in a filing with the U.S. Securities and Exchange Commission that unauthorized persons reportedly associated with a nation-state had gained access to its IT network. The company detected the activity in September 2025 and said preliminary evidence indicates initial access may have occurred as early as December 2024.
Ribbon provides networking solutions and secure cloud communications services to telecommunications companies and critical infrastructure organisations worldwide. The company has more than 3,100 employees across 68 global offices and lists customers that include the City of Los Angeles, the Los Angeles Public Library, the University of Texas at Austin, government customers such as the U.S. Department of Defense, and telecom providers including Verizon, CenturyLink, BT, Deutsche Telekom, Softbank and TalkTalk.
Ribbon said it is working with third-party cybersecurity experts and federal law enforcement and has preliminarily determined it has been successful in terminating the unauthorized access, with final determinations pending completion of the ongoing investigation. The company said it has not found evidence that the attackers accessed or stole “any material information”.
Investigators found the attackers had accessed files belonging to several customers that were stored on two laptops outside Ribbon’s main network. The company expects to incur additional costs in the fourth quarter of 2025 related to the investigation and to strengthening its network but does not currently anticipate those costs will be material. Ribbon has not attributed the intrusion to a specific actor, though the breach bears resemblance to a series of widespread telecom incidents last year; Comcast and Digital Realty were also flagged in previous assessments.