Hagerman & Company — a 40-year-old Autodesk Platinum Partner headquartered in Mt. Zion, Illinois, serving 250+ enterprise customers across manufacturing, energy, defense, healthcare, and education.
The exposed dataset includes:
Complete proprietary source code for 15+ commercial products including the HNC Licensing System (License Generator, License Server, License Manager) — enabling unlimited piracy of all Hagerman products.
8+ plaintext database credentials in .udl files, including an Oracle SYS (DBA superuser) account with password "Hagerman@1!" reused across multiple systems.
Engineering vault databases for 14+ critical infrastructure entities — NYPA (7 power plants including Niagara Falls), Kinder Morgan (Elba Island LNG terminal), HydroOne (Ontario electricity), Phillips 66, Chevron, and 8+ petroleum refineries.
Defense/government data — NASA IT Security Requirements, Lockheed Martin configurations, Boeing-SVS vault data, JPL configurations.
Azure DevOps transaction logs (1.6 GB) containing complete source code version history and potentially CI/CD deployment secrets.
Third-party database credentials for Michigan State University (3 databases), Cal State Long Beach, and Beth Israel Deaconess Medical Center infrastructure.
ALS Global
ALS Limited (ASX:ALQ) — a global testing, inspection, and certification company with AUD 3.19B revenue, 20,500+ employees, and operations in 65+ countries — identified unauthorised access to its IT systems.
~400–500 employee home directories — personal documents, cached credentials, email settings, family photos, personal finance files for employees from Australia to Peru to Sweden to Romania.
The company's 1Password team vault emergency recovery kit — a single 45 KB PDF that enables total recovery of every shared credential in ALS's enterprise password vault.
291 plaintext password files including administrator credentials, FTP passwords, portal passwords, and the document control system master password.
1,018 passport and identity document scans — Swedish passports, Mexican passports, Australian passports — each one a 10-year identity-theft enabler.
601 bank account detail files including IBAN, SWIFT routing codes, BSB numbers, and sort codes for employees across 15+ countries, plus Russian-language SWIFT salary payment files.
1,986 salary, payroll, and compensation files — named individuals, exact amounts, pay scales, negotiation records across AU, US, EU, UK, CA, BR, SE, RO.
453 medical, drug test, and workplace injury records — GDPR Art. 9 special category data.
57 complete Outlook email archives (PST files) — years of correspondence, attachments, privileged communications.
7,327 client laboratory results — mining assay data, certificates of analysis, and geochemistry results held under NDA.
20 GB of proprietary analytical method development — ALS's core competitive IP: PFAS, dioxin, acrylamide, glyphosate LC-MS/GC-MS method packages representing years and millions of AUD in R&D. For a TIC company, analytical methods are the product.
7.2 GB of Internal Research reports — 68+ formal research reports (IR153–IR287+) spanning 15 years, including IsaMill grinding R&D, GlyLeach joint-venture process IP (with mutual NDA), flotation, mineralogy, and QEMSCAN data.
The FY2025–2026 innovation roadmap — "ALS Environmental Innovation — Priority projects for 2024-25" (10 MB PPTX) and Nordic Innovation Business Plans revealing which methods ALS plans to develop and which markets it plans to enter.
3.7 GB of Cryptosporidium water-testing methods (WA_Crypto) — UKAS-accredited, DWI-regulated detection methods where few UK labs hold accreditation.
QuickBooks live bookkeeping, AR aging reports, and stock sale records — taken 12 days before FY26 results announcement.
111 PKI certificates with private keys — corporate WiFi, TLS server certs, personal signing certificates.
A compiled Chrome password extraction tool with source code — credential harvesting infrastructure resident on ALS systems.
Allan Brothers Fruit
Allan Brothers, Inc. — a third-generation, family-owned tree-fruit operation headquartered in Naches, Washington. Allan Brothers packs and ships apples and cherries from a 300,000 sq ft cold-storage facility, employing roughly 45 full-time staff and up to 2,000 seasonal workers during peak harvest.
Eight server volumes:
14,228 employee records from ADP Workforce Now — names, dates of birth, phone numbers, gender, employment history, photos — covering every person who has ever worked at Allan Brothers, including seasonal cherry pickers, H-2A visa workers, and office staff.
W-2 tax filings with full Social Security Numbers for employees across eight legal entities (ALLAN, ABMEXICO, ABSAGE, ABSAGEMOOR, ABVINEYARD, ABAG, ABSHELTON, ABFROST).
Direct deposit forms with bank routing numbers and account numbers for named individuals — the raw ingredients for ACH fraud.
H-2A visa worker tracking spreadsheets listing which workers have or are missing Social Security Numbers, plus I-9 employment eligibility audits — exposing immigration status for the most vulnerable members of the workforce.
A complete Oracle RMAN database backup of the Famous Software production system — the company's grower settlement, customer pricing, and lot-tracking engine.
1.3 GB of employee badge photos — facial images linked to names and employee IDs for hundreds of workers.
COBOL-era accounting databases spanning 8 legal entities — GL, AP, AR, payroll, and W-2 filing data going back years.
OSHA incident logs naming workers who sustained injuries, with injury descriptions and treatment details.
Diamond Truck Centres
Diamond Truck Centres — Western Canada's largest International Trucks dealership group (9 dealer + 13 sub-dealer locations, ~$63M revenue, 250 employees).
The dataset spans 17 years of unbroken operational history (2009–2026) and represents the full shared-drive contents of the entire company: HR, payroll, accounting, military contracts, and individual employee profiles.
The exposed material includes:
53 customer Pre-Authorized Debit (PAD) forms — full bank account numbers, transit numbers, institution numbers, and authorized signatures for commercial customers including the City of Saskatoon.
17 years of employee payroll data — wages, SINs (implied), pension contributions, benefits, termination calculations for every employee since 2009.
Biometric data — ADP fingerprint timeclock enrollment records for all locations.
Immigration documents for 6+ foreign workers — LMIA applications, offers of employment, provincial nominee support docs.
System credentials in plaintext — ADP timeclock passwords, manager training logins, safe combination.
Military contract documentation — Diamond's Controlled Goods Security Plan (ITAR/CGP), MSVS delivery matrices, military vehicle VINs, CFB Edmonton and RCMP vehicle program data.
289 GB of daily bank deposit scans (2017–2026) — customer cheque images with names, amounts, and account details.
A complete Outlook PST archive (166 MB) — years of internal email likely containing credentials and customer data.
Sumitomo Electric Bordnetze
Sumitomo Electric Bordnetze SE (SEBN) — a Wolfsburg-headquartered subsidiary of Sumitomo Electric Industries (TSE:5802, ~$31B group revenue), employing approximately 40,000 people across 14 countries. Exfiltrated 1.1 terabytes of data from five manufacturing sites.
SEBN Moldova (103 GB) — HR, payroll, personal tax records, competition-council litigation files, home directories
SEBN Ukraine (115 GB) — HR/salary, Audi B9 project data, process documentation, including displaced-worker records for Ukrainian IDPs
SEBN Tunisia — Fejja (191 GB + 493 GB shared) — passport copies, email archives (671 MB PST), quality/FMEA data, finance
SEBN Slovakia (268 GB) — the crown jewel: Citibank corporate banking infrastructure including the TESTKEY authentication system, IBAN registries, daily bank statements, SAP salary-payment files, and years of department email archives
The dataset contains 173,000 Excel files, 149,000 PDFs, 2,500 CAD engineering drawings, 2,500 Outlook messages, 1,500 FMEA/PPAP quality files, and 9 Outlook PST archives.
Avanti Windows & Doors
Avanti Windows & Doors — a vinyl window manufacturer headquartered in El Mirage, Arizona, with regional offices across Nevada, Texas, California, and Florida.
The exposed material includes:
Plaintext SQL Server SA (system administrator) credentials — the master key to the FeneVision ERP database containing every customer order, every price, every financial record the company has ever processed.
Employee SSNs, W-4s, I-9s, and E-Verify data — the complete identity package for the entire workforce, from new-hire packets through payroll records spanning 2014–2016+.
1099-MISC/INT forms — SSNs/EINs and payment amounts for 50–200+ contractors and vendors across two tax years.
Direct deposit authorizations — bank account and routing numbers for employees who enrolled in ACH payroll.
24+ months of Chase bank statements and 28 months of AMEX corporate card statements — full account numbers, transaction details, and spending patterns.
The complete proprietary pricing algorithm — source code for the FastAPI backend that determines window pricing for every builder contract, plus 41+ builder Master Service Agreements with exact pricing terms.
CPA-reviewed financial statements, partnership returns, K-1s, and budget forecasts — the company’s full financial anatomy, from cost structure to profit allocation.
OSHA 300 logs, workers’ compensation audit files, and UHC health insurance invoices — employee medical and injury data, names of injured workers, treatment details.
Attorney-client privileged ADOSH settlement correspondence — OSHA settlement negotiations between outside counsel and the CEO.
~80 Windows roaming profiles — employee desktops, documents, AppData, Outlook .ost/.pst files, browser caches, and cached credentials.
Startec Group of Companies
Startec Group of Companies, a privately held Calgary-based industrial OEM founded in 1976 by Joe Cawthorn. Startec designs, fabricates, installs, and services compression, process, and refrigeration systems for oil-and-gas operators and the energy-transition sector (RNG, hydrogen, CO&sub2; sequestration, flare-gas capture). The company employs ~270 people and exports ~80% of its cleantech output to US customers including Pembina, ARC Resources, SemCAMS, Cenovus, and Shell. The exposed material spans the entire corporate knowledge base: 25 years of payroll (2001–2026) including a master SIN VERIFICATION.xlsx register, ADP exports, T4/ROE/T2200 forms, banking/EFT direct-deposit data for ~600+ current and former employees 18+ named passport scans plus a Pakistan resume-and-passport applicant pool (~20+) Wildcard TLS private keys for *.startec.ca (2022–2027 series) and the suspected Active-Directory-integrated internal CA private key The cyber-insurance policy (BZA2151) and the Nov 2025 Statement of Values & Business-Interruption submission to Zurich ~25+ named customer engineering libraries (Pembina, ARC, SemCAMS, Cenovus, Shell Scotford) with process specs, as-built drawings, and sizing calculations Shell Caroline + Shell Saturn dispute-counsel files (~665 MB of privileged litigation material) 12 fiscal years of board packs including “in camera” sessions, the 2020 Valuation Report, family-trust T3 returns, and succession-planning documents Cawthorn family QuickBooks files (live .QBW — full chart of accounts, general ledger, every transaction) 11 Outlook PST mailboxes (several multi-GB — named ex-employees' complete email history) Physical-security access codes (CCTV passwords, Telsco alarm chart, all-doors key record)
NorthWest Handling Systems
NorthWest Handling Systems — a 55-year-old forklift and warehouse equipment company headquartered in Renton, Washington, with branches across WA, OR, and AK. The dump is the entire corporate file share going back to 1988. 337,000+ files spanning every branch, every department, every era of the company. It includes: Plaintext credit card numbers in an Excel spreadsheet literally titled “C.O.D. info (CREDIT CARD INFO).xlsx” — stored at the root of the file server, unencrypted, for years. Social Security numbers and Taxpayer IDs on W-9 forms and certified payroll documents for government-contract work (USPS, Oregon DHS, public schools). 3+ years of plaintext passwords for Target Corporation’s vendor portal (TARS), stored in Word documents titled “TARGET PASSWORD & SECURITY QUESTIONS.” Each password rotation was saved as a new file. Home Depot Maximo DC billing credentials — plaintext, in a Word document, enabling fraudulent invoicing against a Fortune 50 company. Albertsons/Safeway Corrigo facility-management portal credentials — again, plaintext in a .docx file. 33 GB of customer warehouse CAD files — facility layouts, equipment placement, security-zone dimensions, and fire-protection drawings for approximately 50–200 companies including Nike, Google, Costco, and Umpqua Bank. 24,669 rows of fixed-asset data in ExportFile.csv — the complete equipment inventory, revealing the company’s financial structure, depreciation schedules, and capital-investment history. Corporate bank routing and account numbers (ACH authorization forms), employee direct-deposit details, time cards, disciplinary records, accident reports, and decades of invoices.
Costa Solutions, LLC
Costa Solutions, LLC — a privately held managed-labor and warehousing company headquartered in San Antonio, Texas, with ~$140M annual revenue and 200–1,000 employees.
The file server contained the complete operational, financial, legal, and human resources infrastructure of the company:
3,000–8,000+ individuals' personal data — current employees, former employees (12 years of records), independent contractors, employee dependents, and job applicants. SSNs on W-2s, W-4s, 1099s, I-9s, background checks. Bank account and routing numbers on 200+ direct deposit forms.
Medical and injury records — 150+ employee injury/medical files from 2013–2026, FMLA medical certifications, drug test results (random, reasonable suspicion, post-incident, promotional), and workers' compensation claims for 23+ named individuals.
CEO's entire file system — Josh Wean's Documents folder (5.3 GB) including P&L statements, a 17-subfolder "Confidential" directory, legal correspondence, strategic plans, a C-12 peer advisory group archive, and a $RECYCLE.BIN with 60+ deleted items.
Client contracts and competitive intelligence — pricing, SLAs, and contract terms for HEB, CVS, Sysco, Amazon, McLane, Labatt, Valvoline. Competitor pricing intelligence. RFP bid documents with cost models.
Active legal case files — litigation records (2021–2022), HR internal investigation notes (2018–2021), arbitration files, active investigations marked "DO NOT DELETE" — all subject to attorney-client privilege.
Infrastructure secrets — an HEB production server TLS certificate, a Cisco AnyConnect VPN installer, and the CEO's Remote Desktop connection file.
Corporate financials — multi-year budgets, valuation & sale documents (indicating possible M&A activity), PPP loan forgiveness records, Form 5500 ERISA filings, and annual reporting.
Bayou Title, Inc.
Bayou Title, Inc. — the largest title insurance agent and closing/settlement services provider in Louisiana, with 19 full-service locations statewide.
The exfiltrated data spans 20+ years of operations (2004–2026) and includes:
70,000–100,000+ Social Security numbers paired with names, addresses, and sale proceeds from 1099-S real-estate closing worksheets covering all 19 offices across three tax years (2018–2020), plus W-2 and 1099-MISC filings.
Complete employee payroll databases — 10+ instances of Sage 50 EMPLOYEE.DAT files containing SSNs, bank account numbers, routing numbers, pay rates, tax withholding, and direct deposit details for current and former employees.
103 GB of title abstracts — ~34,000+ PDFs documenting ownership chains, liens, and mortgages for properties across Louisiana.
44 GB of GreenFolders DMS transaction packages (2012, 2013, 2019) — complete closing file archives containing HUD-1 settlement statements, identity verification documents, SSN cards, and tax records. Filenames contain encoded tags (ssn, hud, soc, tax).
Plaintext credentials for government portals — a file literally named Lafayette Assessors lcmenard Password4321.url, plus a PDF containing Orleans Parish system login credentials.
Attorney-client privileged documents — wills, attorney engagement letters, and legal opinions prepared by licensed Louisiana attorneys.
Advanta Genetics LLC
Advanta Genetics LLC — a respected CLIA/CAP-accredited clinical toxicology and molecular diagnostics laborator. The exposed material includes: Tens of thousands of real patient lives — including highly sensitive chronic opioid therapy charts flagged by the Texas Medical Board and elderly Medicare audit records. Provider identities and prescribing power — SSNs, DEA numbers, and state licenses from 20+ states that can be turned into black-market "script pads". Gold-standard identity theft kits — W-2s, I-9s with passport scans, and full employee packages for 50+ staff. 102 complete QuickBooks company files exposing every vendor, payroll run, bank link, and financial secret across the Advanta/RedLeaf/OSPRI empire. High-value trade secrets — OSPRI Biopath investment decks, valuation models, FDA pre-submission packets, and the proprietary "The Brain" AI diagnostic architecture. Explosive privileged attorney-client memos on active regulatory battles (Texas Medical Board Remedial Plan #19-153 and a federal NORA subpoena). Active Directory domain controller data (NTDS.dit and SAM hives).
Baresque Group
Baresque Group — a respected commercial-interiors company headquartered in Perth, Australia, with offices in Dallas, Chicago, and Brussels.
The exposed material includes:
100+ passport scans, 35 birth certificates, 60+ driver's licences, 50+ TFN declarations — the complete identity-theft toolkit for the entire workforce, spanning Australia, the US, and Europe.
Plaintext credentials for every critical system — Microsoft 365, HR platform (Elmo Talent), remote-access gateway (LogMeIn), phone system (3CX), ERP (Jim2) — all in browser-export CSVs and an enterprise-wide Password_Listing.xls that had been sitting on a shared drive since at least 2017.
4 TLS private keys for customer-facing domains — enabling impersonation of the company's websites.
343 GB of product R&D — SolidWorks CAD files, manufacturing specifications, and product blueprints for Zintra acoustic panels, FUNC furniture, botton+gardiner wallcoverings, and Scribblr surfaces. The complete design library.
Two years of board packs, financial reports, and cash-flow models — the company's entire strategic and financial position laid bare.
Privileged legal documents — active subpoena files, sworn affidavit exhibits, Fair Work Australia tribunal filings, and settlement agreements with confidentiality clauses.
Workers compensation medical records naming specific employees with diagnoses, treatment plans, and claim amounts.
Cheval Blanc Randheli
Guest Passport Scans — 75,855 Files, 10 Years
The single largest data category: 75,855 passport scan images spanning January 2015 through October 2024, organised in daily folders within monthly and yearly directories. These represent an estimated 20,000–30,000 unique guests. Each scan contains the full passport bio page: photo, full name, date of birth, nationality, passport number, machine-readable zone (MRZ), and signature.
Among the exposed passports:
Qatar Royal Family members — 9 passport scans including Muhammad Mesned S M Al-Misned, Abdulla, Khalifa, Lolwa, Nasser, Alanoud, Bessy, and Mesned
UAE VIP and government officials — including H.E. Ahmed Saif Ali Aldhabea Aldarmaki, H.E. Matar Suhail Ali Alyabhouni Aldhaheri, and members of an April 2024 private buyout group who arrived on private jets (tail numbers A6AUH, A6DAH)
LVMH head-office executives — 7 passport/profile photos including named senior staff from Paris
Guest PMS Data — 30,000–50,000 Profiles
Opera PMS exports containing full names, home addresses (street-level), nationalities, VIP classification levels (A/B/C/G), partial credit card data (last-4 digits + expiry + card type), deposit amounts, booking confirmation numbers, stay histories, travel agent details, flight numbers, and guest preferences.
Employee Records — 1,000–2,000 Individuals
Ten years of salary records (2017–2026), medical insurance claims organised by department, ~200 ECARD ID photos, vacation/leave records, Key Management Personnel (KMP) compensation details, and biometric enrollment data from the Gladis facility-access system.
Credentials and Infrastructure
BitLocker recovery key — full disk-encryption key for the Windows server volume
Passwords.docx — plaintext system password store covering revenue, PMS, and operational systems
Extranet passwords — booking-portal and vendor credentials
3CX VoIP backup — SIP credentials, extension configurations, call routing rules
Biometric templates (Gladis enrollment) — non-rotateable fingerprint/facial data
Corporate-Sensitive Documents
Management Contract of Cheval Blanc Randheli — the LVMH–property owner agreement containing fee structures, performance benchmarks, and brand license terms
Board investment recommendation for Velidhoo — a potential new property with capital allocation and return projections
10 years of budgets and revenue forecasts
Audited subsidiary financial statements (I&T / Sitax entities)
White Book — the property's operational standards manual (proprietary LVMH brand IP)
Building Management System data — HVAC, power, desalination, and lighting control files for island infrastructure
Law Offices of Michael A. Freedman, P.A. (maflaw.com)
Law Offices of Michael A. Freedman, P.A. (maflaw.com). The exfiltrated corpus is 579 GB used / 143 GB at root level / 196,701 files / 19,231 directories, dated as recently as a year-2026-in-progress client matter.
What this means for a plaintiffs' PI firm of ~25 staff:
656 client-matter folders organised across eight yearly parents from June 2019 through 2026-in-progress. Per-client medical records, HIPAA authorisations, police reports, settlement releases, IOLTA distribution sheets, retainer agreements, and treating-provider correspondence.
Two staff Outlook archives at 2.1 GB each, plus a 505 MB Outlook backup, plus 27 enumerated .pst files — years of attorney–client privileged correspondence, settlement strategy, opposing-counsel comms.
The complete Sage ACT. Pro v18 contact universe — the live database plus eight historical ZIP backups going back to 2013 plus a 9.3 MB plaintext export (ACT!-Contacts.txt) that any text editor can open. Estimated 5,000–12,000 contacts.
The firm's master credential vault in a Word document called Woodywoody78!.docx (the filename is itself the vault password). Plaintext credentials for M&T Bank multi-identity business + commercial accounts (with electronic-payment-approval authority), Bank of America, Paychex, QuickBooks, and the firm's federal EIN. Plus the senior partner's phone-unlock PIN.
A staff browser-exported password CSV (32 plaintext credentials) including the M365 tenant, the Slack tenant, hospital portals (MedStar, GBMC, Allstate secure mail), MoveDocs, ChartRequest, MSHC Legal portal — plus residual credentials from prior employers SLF Law and Bailey Law, creating cross-firm contamination liability.
The Universal Licensing / Freedman Consulting invention-promotion operation — a second line of business under the same EIN, with hundreds of inventor folders. Per-inventor unpublished invention disclosures, “Internet Presentation of Invention” decks, NDAs, Exclusive Patent License Agreement drafts, patent-art renderings, and per-managed-mailbox client-company passwords.
A criminal-defense sub-practice (“SLF criminal” out of Janice's working folder) with retainer agreements and per-client court documents, carrying 6th-Amendment-attorney–client uplift on the privileged-track scoring.
An Axon evidence.com MPIA-released body-worn-camera package (449 MB total; a 448 MB clip from the 2020-12-20 Park Baltimore incident).
Atlas Metal Industries Inc
Atlas Metal Industries Inc. — a privately held commercial-foodservice-equipment manufacturer headquartered in Miami, Florida.
The dataset is a complete Microsoft Dynamics GP environment: production databases, payroll records, system credentials, Autodesk Vault product-design backups, CNC fabrication programs, and all supporting infrastructure configuration. The exfiltration occurred on or about April 8, 2026; the attack was identified April 22, 2026.
The exposed material includes:
15.8 GB of payroll-records database (PYREC) — full Employee Master with SSNs, DOBs, addresses, direct-deposit bank routing numbers, salary, W-4 tax data, garnishments, and check history dating to at least 2018.
30+ SQL Server login accounts with password hashes in a sp_help_revlogin dump — named employees, system admins (DYNSA, sa), service accounts, and Active Directory domain accounts.
74 GB of Autodesk Vault Professional backup — complete product-design history from 2019 through 2026, covering every product line Atlas Metal manufactures.
Hundreds of CNC fabrication programs — laser-cutter and Amada punch-press G-code for the full catalogue of sheet-metal components.
A base64-encoded SQL credential for the TimeClock Plus timekeeping system, stored in plaintext XML.
8 SQL Server databases with full backup chains — ATLAS (primary), PYREC (payroll), DYNAMICS (system), TEST (18 GB dev clone), TWO, AMIT, plus system databases (master, msdb, DynamicsGPSecurity).
