It started with one email, and Adobe lost $13 million of customer records
Not a sophisticated zero-day exploit. Not a nation-state attack with custom malware. Just a regular-looking email sitting in the inbox of a support desk employee at an Indian BPO company, somewhere in an office very much like ones you might walk past every day in Pune, Mumbai, or Bengaluru. The employee opened it. And within weeks, Adobe lost 13 million customer records.
This is the story of the biggest supply chain breach of 2026. And if you run IT for any Indian bank, NBFC, insurance company, or enterprise, this story is about you too.
The Full Story
In early April 2026, a threat actor going by the name “Mr. Raccoon” made a startling announcement. He had breached Adobe, one of the world’s most recognised software companies, with a market cap of over $20 billion and a security team that most companies would envy.
But here is the part that should stop every IT leader cold: Mr. Raccoon never touched Adobe’s systems directly. He did not hack Adobe’s firewalls. He did not find a vulnerability in their software. He did not even try to get past their security perimeter….Instead, he went around it.
Adobe, like almost every large company in the world, outsources a portion of its customer support operations to a Business Process Outsourcing firm. That firm is based in India. Its employees handle customer tickets, technical queries, and account-related requests on Adobe’s behalf, with access to Adobe’s internal support systems.
The attacker sent a malicious email to one of those BPO employees. The email contained a Remote Access Tool, a piece of software that, once installed, gave Mr. Raccoon complete control over that employee’s computer. He could see their screen. He could access their files. He could even, reportedly, watch through their webcam.
From that single laptop, he escalated. He sent another phishing email, this time to the employee’s manager. Once the manager clicked, the attacker had even broader access to Adobe’s support environment. Adobe’s support ticketing system, it turns out, had a critical misconfiguration. As Mr. Raccoon himself told the International Cyber Digest: “They allowed you to export all tickets in one request from an agent.”
In plain terms, any support agent with access could download millions of customer records in a single click. There were no rate limits. No alerts triggered. No bulk export warnings.
He downloaded 13 million support tickets. 15,000 employee records. Every confidential bug report submitted through Adobe’s HackerOne bug bounty programme included unpublished security vulnerabilities that other hackers could now exploit before Adobe even fixed them. And a trove of internal documents.
All of it, gone. Through one laptop. Through one email. Through one gap in the supply chain.
Why This Matters for Indian Companies
You might be reading this thinking: Adobe is an American company. This is not my problem.
Let us look at the facts more carefully.
The entry point for this attack was an Indian BPO company. The Indian BPO and IT services industry processes data for nearly every Fortune 500 company on the planet. It is a sector worth $250 billion. And as this attack demonstrates, it has become the most reliable entry point for hackers who cannot breach their primary targets through the front door.
This is not the first time. Crunchyroll was breached through an Indian outsourcing partner. Korean Air had 30,000 employee records stolen via a vendor. Conduent, a government services processor, affected 25 million Americans through a similar supply chain attack. The pattern is clear, and it is accelerating.
Now think about your own organisation. Your bank, NBFC, or insurance company has vendors. Your core banking software provider has support staff who connect to your systems. Your IT maintenance company has technicians who plug laptops into your network. Your security camera installer has a device on your LAN. Your payroll software vendor has remote access credentials.
Each of those is a potential Mr. Raccoon entry point.
And right now, in most Indian financial institutions, nobody is watching those connections in real time.
What Went Wrong
This breach was not caused by one mistake. It was caused by a chain of failures, each one small enough to seem acceptable on its own, but together they created a catastrophic gap.
1. The BPO had no device security standards
The employee’s laptop was able to receive and execute a Remote Access Tool without any endpoint protection blocking it. A properly configured corporate laptop with a decent endpoint security solution would have flagged or blocked a RAT installation immediately.
2. There was no network visibility on who was accessing what
Once the attacker was inside the BPO’s network, nobody noticed. There was no system watching for unusual device behaviour, unusual access patterns, or unrecognised connections to Adobe’s systems.
3. Adobe’s ticketing system had no bulk export limits
Pulling 13 million records should have triggered an alert somewhere. It did not. This is a fundamental access control failure on Adobe’s side: the principle of least privilege, meaning every user should only be able to access exactly what they need and nothing more, was completely absent.
4. There was no vendor access monitoring
Adobe gave the BPO access to its support environment. But there appears to have been no real-time monitoring of what the BPO’s machines were doing inside that environment. Access was granted and then essentially unsupervised.
5. Phishing training was clearly insufficient
Two people in the same chain, an employee and then their manager, both fell for phishing emails. This points to either an absence of regular phishing simulation training or a training programme that was not effective enough to protect against well-crafted social engineering.
How This Could Have Been Stopped
Here is the uncomfortable truth: this breach was entirely preventable. Not with exotic or expensive technology. With basic, proven security practices that every organisation should already have in place.
-
Control every device that enters your network
The moment the attacker installed a RAT on the BPO laptop, that laptop became a threat. But if Adobe or the BPO had deployed Network Access Control, that compromised laptop’s unusual behaviour, new processes, new outbound connections, changes in device fingerprint, would have been detected within seconds.
Network Access Control (NAC) solutions like EasyNAC work by watching every device on the network continuously. The moment a device starts behaving differently from its baseline, it is flagged or blocked automatically. A RAT running on a laptop is exactly the kind of anomaly a NAC system catches.
-
Enforce least-privilege access strictly
No support agent should ever be able to export 13 million records in a single click. Access should be scoped strictly to what each role needs. Bulk exports should require multi-level approval. This is basic access control hygiene that Adobe’s ticketing system was missing.
-
Monitor vendor connections separately
Every vendor or BPO partner who connects to your systems should be on a separate, monitored network segment. Their devices should be verified before they get access, not just credentialed and trusted forever. Zero Trust means exactly that: trust nobody, verify everything, every time.
-
Run phishing simulations regularly
The most effective way to protect employees against phishing is to send them fake phishing emails regularly and train them on what to do when they spot one. A programme that runs quarterly simulations and provides immediate feedback when someone clicks dramatically reduces the risk of a successful social engineering attack.
-
Set up bulk data export alerts
Any system that holds large volumes of customer data should have anomaly detection on data access patterns. If a single user account attempts to pull 10,000 records in five minutes, that should trigger an immediate alert and automatic throttling. This is not a complex technology requirement; it is a configuration decision.
7 Steps Every Indian IT Head Should Take This Week
If you are an IT head, CISO, or CTO at an Indian bank, NBFC, insurance company, or enterprise, here is a practical action list based on the lessons from this breach.
Audit your vendor access immediately
Make a list of every third-party vendor, BPO partner, and IT service provider who has access to your network or your systems. Review what level of access they have, when they last used it, and whether that access is still necessary. Revoke anything that is no longer needed.
Isolate vendor and partner traffic on a separate network segment
Vendor laptops should never be on the same network segment as your core systems. Use VLANs or a dedicated guest network for external parties. This limits the blast radius if one of their devices is compromised.
Deploy Network Access Control on your LAN
NAC solutions give you visibility into every device on your network, whether it belongs to an employee, a vendor, or an unknown party, and allow you to enforce policies automatically. Solutions like EasyNAC work without requiring any changes to your existing switch infrastructure, making deployment fast and non-disruptive.
Enable continuous monitoring of third-party access
Every connection a vendor makes to your systems should be logged. Review those logs regularly. Set up alerts for unusual access patterns: connections at odd hours, unusually large data downloads, and access to systems outside the vendor’s normal scope.
Review your RBI compliance posture
RBI’s 2024 Master Directions on IT Governance specifically mandate third-party risk management, annual vendor audits, and documented access controls. If you have not reviewed your compliance against these requirements recently, this breach is a reminder that inspectors are asking for evidence, not just policies.
Run a phishing simulation this month
Send a simulated phishing email to your team and your key vendor partners. See who clicks. Use the results to prioritise training. Do this at least once a quarter. It is the single most cost-effective security investment you can make.
Apply rate limits and export controls to all customer data systems
Review every system that holds customer data and ask one question: could a single user download all of it in one action? If the answer is yes, fix that today. Add bulk export restrictions, approval workflows, and anomaly alerts.
The Bigger Picture: Your Vendor Is Now Your Weakest Link
The Adobe breach is not an isolated incident. It is part of a clear and growing pattern that cybersecurity researchers have been warning about for years, and that is now becoming the dominant attack strategy.
Attackers have figured out that large companies invest heavily in their own security. Perimeter defences, SIEM systems, advanced endpoint protection, security operations centres. Breaching these directly is difficult, time-consuming, and risky.
But the vendors those companies hire? The BPO partners? The IT support companies? The software implementation consultants who spend a week on-site every quarter? They often have none of that. And they have direct access to the target.
For Indian companies in the BFSI sector, this threat is particularly acute. The Reserve Bank of India has already recognised this and made third-party risk management a central pillar of its 2024 IT Governance framework. But regulatory compliance is not the same as actual security. A policy document saying you manage vendor risk is not the same as a system that actually watches what your vendors are doing on your network in real time.
The question every IT head in India needs to answer honestly is this: if a vendor’s laptop on your network was compromised right now, would you know about it in five seconds or five months?
For the Indian BPO that inadvertently became the entry point for Adobe’s worst breach, the answer was five months. By then, 13 million records were gone.
Final Thought
The employee who opened that email was not careless. They were human. Hackers who run supply chain attacks specifically target the weakest link in the human chain, often junior employees at third-party firms who have not received the same level of security training as the primary company’s staff.
Security cannot be built on the assumption that people will always make the right decision. It has to be built on systems that catch the consequences when they do not.
Network visibility. Device control. Vendor access monitoring. Least privilege. These are not complex or expensive ideas. They are the foundation of a network that can survive the reality of 2026, where the threat is not coming through your front door but through a laptop belonging to someone you trusted.
At Skeletos IT Services, we help Indian banks, NBFCs, and enterprises deploy EasyNAC, a plug-and-protect Network Access Control solution that gives IT teams real-time visibility into every device on their network without any switch changes or network reconfiguration. If you want to understand what is actually connected to your network right now, we can show you in a 30-minute demo.
Note: This article is based on publicly reported claims reviewed by International Cyber Digest and multiple cybersecurity publications. Adobe had not officially confirmed the breach at the time of publication. All facts cited are from verified public sources.
