Skip to content

Incidents by attack type:

Ransomware

RansomwareContained

Foxconn Nitrogen ransomware breach (2026)

The Nitrogen ransomware group claimed on its dark-web leak site that it had stolen over 11 million files from Foxconn's North American facilities, including confidential information belonging to customers Apple, Dell, Google, Intel, Nvidia, and Sony. Foxconn said affected factories were resuming normal production.

Victim
Foxconn (Hon Hai Precision Industry)
RansomwareContained

Leak at Lisi

In early March 2026, French aerospace and automotive fastener manufacturer LISI Group was hit by the Qilin ransomware gang, which exfiltrated a limited set of corporate data โ€” bank account/IBAN details, supply contracts, confidentiality agreements and employee information โ€” from two ancillary sites.

Victim
Lisi
RansomwareUnknown

Data leak at Tactis

In early 2026, French digital-infrastructure consultancy Tactis was hit by the Qilin ransomware gang, which listed the firm on its leak site and threatened to publish exfiltrated internal data covering its telecom and smart-city projects for public and private clients.

Victim
Tactis
RansomwareContained

Leak at Commune de Lens

In late December 2025, the town hall of Lens (Pas-de-Calais, France) disclosed an intrusion into its information system that paralysed municipal services for about a week, blocking staff software and telephone lines; the attack vector was undisclosed and data theft was not confirmed.

Victim
Commune de Lens
RansomwareOngoing

Leak at La Centrale du Financement

A threat actor exfiltrated around 387 GB of data (some 411,000 files) from French mortgage and credit broker La Centrale de Financement, exposing highly sensitive customer KYC documents, financial records and internal files, then offered the dataset for sale after failed extortion negotiations.

Victim
La Centrale du Financement
RansomwareOngoing

Leak at Michelin

In November 2025, the Cl0p extortion gang listed French tyre maker Michelin on its leak site, claiming to have stolen internal manufacturing, engineering, supply-chain, financial and HR files via the Oracle E-Business Suite zero-day (CVE-2025-61882).

Victim
Michelin
RansomwareContained

Leak at Poltronesofa

On 27 October 2025, Italian sofa and furniture retailer Poltronesofร  suffered a ransomware attack that encrypted its servers and exposed personal data of thousands of customers, including names, postal addresses, emails, phone numbers and tax identification numbers; no banking data was affected.

Victim
Poltronesofa
RansomwareOngoing

Leak at Hauts-de-France high schools

Ransomware group Qilin attacked the IT systems of public high schools run by France's Hauts-de-France region in October 2025, paralysing some 80% of around 269 schools and claiming over 1 TB of stolen data including students' ID documents, CVs and academic transcripts.

Victim
Hauts-de-France high schools
RansomwareUnknown

Leak at Partner Immo

On 13 August 2025, Partner Immo, a French provider of online property- and condominium-management software, was reported as the target of a ransomware/data-leak incident; the exact scope and exposed data were not publicly confirmed.

Victim
Partner Immo
RansomwareContained

Leak at Orange

On 25 July 2025, French telecom group Orange detected unauthorized access to one of its information systems; the Warlock ransomware group later claimed the attack and published about 4 GB of data, which Orange described as outdated or low-sensitivity.

Victim
Orange
RansomwareOngoing

Leak at Groupe 5ร Sec

The DragonForce ransomware group claimed a July 2025 attack on French dry-cleaning chain 5ร Sec, exfiltrating roughly 290 GB of data โ€” SQL production and test databases spanning the group's France, Switzerland, Luxembourg, Spain and Portugal operations โ€” and published it after the company declined to pay.

Victim
Groupe 5ร Sec
RansomwareOngoing

Leak at Disneyland

In June 2025, the Anubis ransomware gang claimed a 64GB leak of ~39,000 confidential files from Disneyland Paris โ€” engineering plans and behind-the-scenes photos/videos of park attractions โ€” said to be stolen via a compromised third-party contractor.

Victim
Disneyland
RansomwareOngoing

Leak at Harvest

Harvest, a French wealth-management software editor, was hit by a Run Some Wares ransomware double-extortion attack disclosed in April 2025; internal and client files were exfiltrated and published, reportedly exposing data on tens of thousands of individuals and thousands of companies.

Victim
Harvest
RansomwareUnknown

Leak at Cogitis

On 31 December 2024, the DragonForce ransomware gang listed Cogitis โ€” a French inter-municipal IT syndicate serving local authorities โ€” on its leak site, claiming around 81 GB of exfiltrated data including internal files and personal data tied to the public bodies it supports.

Victim
Cogitis
RansomwareContained

Leak at Atos

On 28 December 2024, the Space Bears ransomware group claimed to have compromised an Atos database; the French IT giant investigated and concluded its own systems were not breached, attributing the leaked Atos-related data to a compromised external third-party infrastructure.

Victim
Atos
RansomwareOngoing

Leak at Arsoรฉ

A ransomware attack disclosed in late December 2024 crippled Arsoรฉ de Soual, the agricultural IT provider hosting livestock-management software for ~30,000 farmers across some 22 French departments; systems were encrypted and a ransom demanded, with no data exfiltration detected.

Victim
Arsoรฉ
RansomwareOngoing

Leak at Peugeot

In December 2024, the ransomware-as-a-service group Cicada 3301 claimed to have stolen 40 GB of data from Peugeot dealerships (mainly in Lot-et-Garonne, France), including customer ID documents, VINs and vehicle inventory data, threatening to publish it by 6 January 2025.

Victim
Peugeot
RansomwareUnknown

Leak at Deloitte

On 4 December 2024, the Brain Cipher ransomware group publicly claimed to have stolen over 1 TB of data from Deloitte UK; Deloitte said the allegations related to a single client's system outside its own network and that no Deloitte systems were impacted.

Victim
Deloitte
RansomwareResolved

RECOPE RansomHub ransomware attack

RansomHub ransomware forced Costa Rica's state oil refiner RECOPE to switch its entire fuel-distribution network to manual operations, triggering the first real-world deployment of the U.S. State Department's FALCON cyber-response program.

Victim
Refinadora Costarricense de Petrรณleo (RECOPE)
RansomwareContained

Leak at Chambres d'agriculture

In November 2024, the Chambres d'agriculture d'Occitanie โ€” France's regional public chambers of agriculture โ€” were hit by a malware/ransomware-type cyberattack that spread across their interconnected national network and rendered the workstations of roughly 1,000 regional staff unusable.

Victim
Chambres d'agriculture
RansomwareContained

Schneider Electric Sustainability Business Cactus ransomware (2024)

Cactus ransomware operators hit Schneider Electric's Sustainability Business division, taking the Resource Advisor consulting platform offline and exfiltrating approximately 1.5 TB of data โ€” including passport scans and signed NDAs from customers like Hilton, PepsiCo, and Walmart.

Victim
Schneider Electric โ€” Sustainability Business division
RansomwareContained

Westpole LockBit ransomware โ€” Italian PA outage (2023)

LockBit 3.0 encrypted the data centres of Italian cloud provider Westpole, taking down PA Digitale's Urbi platform โ€” which serves 1,300 Italian public administrations including 540 municipalities, the Quirinale presidency, ISTAT, the Bank of Italy, and the Ministry of Environment. Payroll, citizen services, and local-government workflows were degraded for weeks.

Victim
Westpole / PA Digitale (Urbi platform)
RansomwareResolved

ALAB Laboratoria ransomware data leak

The RA World ransomware gang breached Poland's nationwide ALAB Laboratoria medical-lab network, stealing patient test results and PESEL identity numbers. ALAB refused to pay, and the criminals published sensitive medical data on tens of thousands of patients in what became Poland's largest medical data breach.

Victim
ALAB Laboratoria
Records
50.0K
RansomwareContained

ICBC Financial Services LockBit ransomware (2023)

LockBit ransomware disrupted the U.S. broker-dealer arm of the world's largest bank, ICBC, jamming settlement of over $9 billion in U.S. Treasury trades. Bank staff sent critical settlement details by USB stick via a messenger across Manhattan. $62 billion of Treasuries failed to deliver in one day.

Victim
ICBC Financial Services (U.S. broker-dealer of Industrial and Commercial Bank of China)
Loss
$9.00B
RansomwareRansom paid

Caesars Entertainment Scattered Spider ransom payment (2023)

Scattered Spider impersonated a Caesars employee on a call to a third-party IT support vendor and convinced the vendor to grant Okta credentials, then exfiltrated customer loyalty data including SSNs and driver's licences. Caesars paid roughly $15 million ransom; the FBI later froze a substantial portion of the funds with Chainalysis assistance.

Victim
Caesars Entertainment
Loss
$15.0M
RansomwareContained

Xplain Play ransomware and Swiss federal documents leak (2023)

Play ransomware breached Swiss IT services provider Xplain, exfiltrating 1.3 million files. Approximately 65,000 documents belonging to the Swiss Federal Administration โ€” including classified content, personal data, and readable passwords โ€” were published on Play's dark-web leak site in June 2023.

Victim
Xplain (Swiss IT services provider to the Federal Administration)
Records
1.3M
RansomwareResolved

EPM BlackCat ransomware attack

The BlackCat/ALPHV ransomware gang crippled Colombia's largest public utility, Empresas Pรบblicas de Medellรญn, forcing 4,000 staff to work offline and disrupting electricity, water, and gas billing across 123 municipalities.

Victim
Empresas Pรบblicas de Medellรญn (EPM)
RansomwareContained

AIIMS Delhi ransomware

Ransomware encrypted the All India Institute of Medical Sciences in New Delhi โ€” India's most prestigious public hospital โ€” taking patient registration and clinical records offline for two weeks during peak winter patient load.

Victim
All India Institute of Medical Sciences (AIIMS) New Delhi
Loss
$15.0M
RansomwareResolved

Impresa media group ransomware attack

The Lapsus$ group seized the Amazon Web Services account of Impresa, Portugal's largest media conglomerate, knocking the Expresso newspaper and SIC television channels offline, defacing their websites and hijacking Expresso's verified Twitter account in what authorities called the country's largest ransomware attack.

Victim
Impresa (Expresso / SIC)
RansomwareResolved

Amedia ransomware attack

A ransomware attack encrypted the central systems of Amedia, Norway's largest local-newspaper group, halting presses and disrupting subscription and advertising systems for more than 70 titles serving around 2 million readers. Amedia refused to pay.

Victim
Amedia
RansomwareContained

Transnet 'Death Kitty' ransomware (South Africa, 2021)

A ransomware attack on South Africa's state-owned logistics firm Transnet shut down operations at Durban, Ngqura, Port Elizabeth and Cape Town container terminals, forcing the operator to declare force majeure. Durban โ€” 60% of Southern Africa's containerised trade โ€” reverted to paper-based clearance for cargo for a week.

Victim
Transnet SOC (state-owned freight & port operator)
RansomwareContained

HSE Ireland ransomware (Conti)

Conti ransomware paralysed Ireland's Health Service Executive, forcing cancellation of outpatient appointments nationwide for weeks. Conti released the decryptor for free; recovery still cost an estimated โ‚ฌ100M+.

Victim
Health Service Executive (HSE) of Ireland
Loss
$130.0M
Records
700.0K
RansomwareContained

HSE Ireland Conti ransomware national healthcare shutdown (2021)

Conti operators tricked an HSE user into downloading a booby-trapped Excel attachment; the resulting ransomware forced the Health Service Executive to shut down all of Ireland's healthcare IT systems and exfiltrated 700 GB including COVID-19 vaccination PHI. Recovery cost exceeded โ‚ฌ100 million.

Victim
Health Service Executive (HSE) of Ireland
Loss
$110.0M
RansomwareRansom paid

Maastricht University Clop ransomware (Netherlands, 2019)

TA505 used Clop ransomware to encrypt 267 Maastricht University servers over Christmas 2019 after two phishing emails on 15โ€“16 October had compromised the network. The university paid 30 BTC (~$220,000). The ransom Bitcoin โ€” later seized from a money mule โ€” was returned and had appreciated, leaving the university ahead by ~$300,000.

Victim
Maastricht University
Loss
$220.0K
RansomwareRansom paid

LifeLabs data breach

Canada's largest medical-testing laboratory disclosed that attackers had accessed health data on roughly 15 million customers, paid an undisclosed ransom to retrieve the stolen records, and was later found by privacy regulators to have failed to safeguard the information.

Victim
LifeLabs
Records
15.0M
RansomwareResolved

Beneลกov Hospital Ryuk ransomware attack

An Emotetโ€“TrickBotโ€“Ryuk malware chain crippled the Rudolf and Stefanie Hospital in Beneลกov, Czech Republic, knocking out X-ray, ultrasound, and laboratory systems and paralysing the facility for weeks. The hospital did not pay the ransom and reported no patient-record loss.

Victim
Rudolf and Stefanie Hospital, Beneลกov