AkzoNobel faces mass filtration of 170 GB and 170000 files after attack of the Anubis group

The Dutch multinational AkzoNobel has confirmed that it has suffered a computer intrusion into the network of one of its centres in the United States, a situation that has captured the attention of the sector by the volume and nature of the data that the group behind the incident claims to have exfiltered. According to the information disseminated by specialized media, the responsible actor, known as the Anubis group, published on its leaks site a sample of what was removed and claims to have obtained around 170 GB and almost 170,000 files including confidential contracts with clients, private mail, passport scans and internal technical documentation.

From AkzoNobel - a company with a global presence and recognized marks in paintings and coatings - have transmitted that the incident was located in a specific United States facility and that the containment measures were implemented to limit its scope. The company ensures that the impact is cut and that they are reporting and supporting the parties concerned in addition to cooperating with the competent authorities, according to statements collected by means covering cybersecurity. In his statement, AkzoNobel did not detail whether negotiations were initiated or any contact with the attackers.

The relevance of the case lies not only in the size of the alleged dumping, but in the composition of the published files: contracts with high-profile customers, contact data, internal correspondence and sensitive documentation on technical materials and specifications. This combination makes filtration not only a risk to the privacy of specific people, but a possible reputational, commercial and operational damage to the company and its partners.

The Anubis group, identified in recent months as a "Ransomware-as@-@ a-service" (RaaS) type operation, was introduced in late 2024 by offering its affiliates a majority of the bailouts charged, and has since gained visibility in cybercrime forums. Reports of their evolution indicate that in 2025 they expanded their affiliate program and, more recently, incorporated destructive tools - a wiper that erases data - which increases the risk of irreversible loss of information if an incident results in sabotage as well as exfiltration. For those who want to deepen the origin and tactics of this threat, there are public analyses that document its appearance and evolution, such as those published by threat intelligence specialists ( KELA) and follow-up in computer security media ( BleepingComputer).

This episode serves as a reminder that even large and controlled organizations are not immune to targeted campaigns. When attackers combine mass data exfiltration with pressure and extortion tactics, the response requires both immediate technical actions and coordinated management of communication and policy compliance. Single-site containment can minimize operational impact, but does not eliminate the risk of public disclosure of sensitive information.

For industrial and manufacturing companies, the implications are a number of: the disclosure of technical specifications or test results may erode competitive advantage; the exposed personal data require the activation of notification protocols to affected and authorities; and the leaks of contracts may generate commercial disputes. In addition, the existence of a wiper in the attacker's arsenal makes recovery a major challenge if backup copies are not segregated, disconnected and verified.

On the broader level, attacks such as this fuel regulatory pressure and expand the responsibility of security officials. Agencies such as the United States Agency for Infrastructure and Cybersecurity provide practical guidelines on prevention and response to Ransomware that are useful for any organization concerned about these scenarios ( CISA - Ransomware Guidance).

While some questions remain open - for example, the actual scope of the committed data, whether there was rescue payment or if the actor launched more information pieces - the AkzoNobel case illustrates two realities of the current landscape: on the one hand, the professionalization and specialization of the Ransomware bands operating through RaaS models; on the other, the need for companies to combine technical measures with pre-prepared response and communication plans. Cybersecurity, today, is both a matter of technology and of processes and relationships with customers, suppliers and regulators..

For users and workers associated with potentially affected companies, the usual recommendation is to maintain a vigilant position: to verify official communications from the company, to take precautions with unexpected emails asking for information and to change passwords if there is a suspicion of exposure. For IT managers, learning is clear: network segmentation, offline backup, recovery tests and constant monitoring remain the best defenses against the increasing sophistication of attacks.

The episode is still under development and we will probably see more details in the next few hours and days. Meanwhile, those who follow this case can find coverage and updates in means of reference in cybersecurity and in the official channels of the company concerned; and to understand the technical and organizational nature of this type of threat, it is useful to consult the specialized analyses available on the network.