Skip to content
RansomwareContained

Leak at Atos

On 28 December 2024, the Space Bears ransomware group claimed to have compromised an Atos database; the French IT giant investigated and concluded its own systems were not breached, attributing the leaked Atos-related data to a compromised external third-party infrastructure.

Victim
Atos

On 28 December 2024, Atos — the French IT services and digital-transformation group — was named on the leak site of the Space Bears ransomware group, which claimed to have compromised one of the company's databases. The gang, active since April 2024 and known for double-extortion tactics, posted a countdown timer threatening to publish a "company database" around 7 January 2025 unless a ransom was paid.

Atos pushed back publicly within days. In an initial security statement it said early analyses showed no signs of compromise or malware affecting any Atos or Eviden systems in any country, and that it had received no ransom demand. The claim landed at a sensitive moment, as Atos was negotiating the sale of strategic assets to the French government.

In a 3 January 2025 follow-up, Atos confirmed its own infrastructure had not been breached. It concluded that an external third-party system — unconnected to Atos and neither managed nor secured by it — had been compromised by Space Bears, and that this system merely held data referencing the company. Atos declined to identify the third party or the specific data involved.

  • Claimed target: an Atos-referencing database
  • Threat actor: Space Bears ransomware group (double extortion)
  • Actual exposure: data held on a compromised external third-party infrastructure
  • Atos internal systems: no evidence of compromise

Status: contained. Atos publicly denied any breach of its own environment; no confirmed record count or ransom payment has been reported.

Sources

  1. next.inkhttps://next.ink/brief_article/le-groupe-de-rancongiciels-space-bears-affirme-avoir-compromis-la-securite-datos/
  2. atos.nethttps://atos.net/en/2025/press-release_2025_01_03/atos-confirms-not-being-compromised-by-the-ransomware-group-space-bears
  3. techmonitor.aihttps://www.techmonitor.ai/cybersecurity/atos-rejects-space-bears-breach-allegations-third-party-infrastructure-link/
  4. cyberinsider.comhttps://cyberinsider.com/atos-denies-data-breach-claims-by-space-bears-ransomware-group/

Related incidents

RansomwareOngoing

Leak at Arsoé

A ransomware attack disclosed in late December 2024 crippled Arsoé de Soual, the agricultural IT provider hosting livestock-management software for ~30,000 farmers across some 22 French departments; systems were encrypted and a ransom demanded, with no data exfiltration detected.

Victim
Arsoé
RansomwareContained

Schneider Electric Sustainability Business Cactus ransomware (2024)

Cactus ransomware operators hit Schneider Electric's Sustainability Business division, taking the Resource Advisor consulting platform offline and exfiltrating approximately 1.5 TB of data — including passport scans and signed NDAs from customers like Hilton, PepsiCo, and Walmart.

Victim
Schneider Electric — Sustainability Business division