Avanti Windows & Doors — a vinyl window manufacturer headquartered in El Mirage, Arizona, with regional offices across Nevada, Texas, California, and Florida.
The exposed material includes:
Plaintext SQL Server SA (system administrator) credentials — the master key to the FeneVision ERP database containing every customer order, every price, every financial record the company has ever processed.
Employee SSNs, W-4s, I-9s, and E-Verify data — the complete identity package for the entire workforce, from new-hire packets through payroll records spanning 2014–2016+.
1099-MISC/INT forms — SSNs/EINs and payment amounts for 50–200+ contractors and vendors across two tax years.
Direct deposit authorizations — bank account and routing numbers for employees who enrolled in ACH payroll.
24+ months of Chase bank statements and 28 months of AMEX corporate card statements — full account numbers, transaction details, and spending patterns.
The complete proprietary pricing algorithm — source code for the FastAPI backend that determines window pricing for every builder contract, plus 41+ builder Master Service Agreements with exact pricing terms.
CPA-reviewed financial statements, partnership returns, K-1s, and budget forecasts — the company’s full financial anatomy, from cost structure to profit allocation.
OSHA 300 logs, workers’ compensation audit files, and UHC health insurance invoices — employee medical and injury data, names of injured workers, treatment details.
Attorney-client privileged ADOSH settlement correspondence — OSHA settlement negotiations between outside counsel and the CEO.
~80 Windows roaming profiles — employee desktops, documents, AppData, Outlook .ost/.pst files, browser caches, and cached credentials.
Startec Group of Companies
Startec Group of Companies, a privately held Calgary-based industrial OEM founded in 1976 by Joe Cawthorn. Startec designs, fabricates, installs, and services compression, process, and refrigeration systems for oil-and-gas operators and the energy-transition sector (RNG, hydrogen, CO&sub2; sequestration, flare-gas capture). The company employs ~270 people and exports ~80% of its cleantech output to US customers including Pembina, ARC Resources, SemCAMS, Cenovus, and Shell. The exposed material spans the entire corporate knowledge base: 25 years of payroll (2001–2026) including a master SIN VERIFICATION.xlsx register, ADP exports, T4/ROE/T2200 forms, banking/EFT direct-deposit data for ~600+ current and former employees 18+ named passport scans plus a Pakistan resume-and-passport applicant pool (~20+) Wildcard TLS private keys for *.startec.ca (2022–2027 series) and the suspected Active-Directory-integrated internal CA private key The cyber-insurance policy (BZA2151) and the Nov 2025 Statement of Values & Business-Interruption submission to Zurich ~25+ named customer engineering libraries (Pembina, ARC, SemCAMS, Cenovus, Shell Scotford) with process specs, as-built drawings, and sizing calculations Shell Caroline + Shell Saturn dispute-counsel files (~665 MB of privileged litigation material) 12 fiscal years of board packs including “in camera” sessions, the 2020 Valuation Report, family-trust T3 returns, and succession-planning documents Cawthorn family QuickBooks files (live .QBW — full chart of accounts, general ledger, every transaction) 11 Outlook PST mailboxes (several multi-GB — named ex-employees' complete email history) Physical-security access codes (CCTV passwords, Telsco alarm chart, all-doors key record)
NorthWest Handling Systems
NorthWest Handling Systems — a 55-year-old forklift and warehouse equipment company headquartered in Renton, Washington, with branches across WA, OR, and AK. The dump is the entire corporate file share going back to 1988. 337,000+ files spanning every branch, every department, every era of the company. It includes: Plaintext credit card numbers in an Excel spreadsheet literally titled “C.O.D. info (CREDIT CARD INFO).xlsx” — stored at the root of the file server, unencrypted, for years. Social Security numbers and Taxpayer IDs on W-9 forms and certified payroll documents for government-contract work (USPS, Oregon DHS, public schools). 3+ years of plaintext passwords for Target Corporation’s vendor portal (TARS), stored in Word documents titled “TARGET PASSWORD & SECURITY QUESTIONS.” Each password rotation was saved as a new file. Home Depot Maximo DC billing credentials — plaintext, in a Word document, enabling fraudulent invoicing against a Fortune 50 company. Albertsons/Safeway Corrigo facility-management portal credentials — again, plaintext in a .docx file. 33 GB of customer warehouse CAD files — facility layouts, equipment placement, security-zone dimensions, and fire-protection drawings for approximately 50–200 companies including Nike, Google, Costco, and Umpqua Bank. 24,669 rows of fixed-asset data in ExportFile.csv — the complete equipment inventory, revealing the company’s financial structure, depreciation schedules, and capital-investment history. Corporate bank routing and account numbers (ACH authorization forms), employee direct-deposit details, time cards, disciplinary records, accident reports, and decades of invoices.
Costa Solutions, LLC
Costa Solutions, LLC — a privately held managed-labor and warehousing company headquartered in San Antonio, Texas, with ~$140M annual revenue and 200–1,000 employees.
The file server contained the complete operational, financial, legal, and human resources infrastructure of the company:
3,000–8,000+ individuals' personal data — current employees, former employees (12 years of records), independent contractors, employee dependents, and job applicants. SSNs on W-2s, W-4s, 1099s, I-9s, background checks. Bank account and routing numbers on 200+ direct deposit forms.
Medical and injury records — 150+ employee injury/medical files from 2013–2026, FMLA medical certifications, drug test results (random, reasonable suspicion, post-incident, promotional), and workers' compensation claims for 23+ named individuals.
CEO's entire file system — Josh Wean's Documents folder (5.3 GB) including P&L statements, a 17-subfolder "Confidential" directory, legal correspondence, strategic plans, a C-12 peer advisory group archive, and a $RECYCLE.BIN with 60+ deleted items.
Client contracts and competitive intelligence — pricing, SLAs, and contract terms for HEB, CVS, Sysco, Amazon, McLane, Labatt, Valvoline. Competitor pricing intelligence. RFP bid documents with cost models.
Active legal case files — litigation records (2021–2022), HR internal investigation notes (2018–2021), arbitration files, active investigations marked "DO NOT DELETE" — all subject to attorney-client privilege.
Infrastructure secrets — an HEB production server TLS certificate, a Cisco AnyConnect VPN installer, and the CEO's Remote Desktop connection file.
Corporate financials — multi-year budgets, valuation & sale documents (indicating possible M&A activity), PPP loan forgiveness records, Form 5500 ERISA filings, and annual reporting.
Bayou Title, Inc.
Bayou Title, Inc. — the largest title insurance agent and closing/settlement services provider in Louisiana, with 19 full-service locations statewide.
The exfiltrated data spans 20+ years of operations (2004–2026) and includes:
70,000–100,000+ Social Security numbers paired with names, addresses, and sale proceeds from 1099-S real-estate closing worksheets covering all 19 offices across three tax years (2018–2020), plus W-2 and 1099-MISC filings.
Complete employee payroll databases — 10+ instances of Sage 50 EMPLOYEE.DAT files containing SSNs, bank account numbers, routing numbers, pay rates, tax withholding, and direct deposit details for current and former employees.
103 GB of title abstracts — ~34,000+ PDFs documenting ownership chains, liens, and mortgages for properties across Louisiana.
44 GB of GreenFolders DMS transaction packages (2012, 2013, 2019) — complete closing file archives containing HUD-1 settlement statements, identity verification documents, SSN cards, and tax records. Filenames contain encoded tags (ssn, hud, soc, tax).
Plaintext credentials for government portals — a file literally named Lafayette Assessors lcmenard Password4321.url, plus a PDF containing Orleans Parish system login credentials.
Attorney-client privileged documents — wills, attorney engagement letters, and legal opinions prepared by licensed Louisiana attorneys.
Advanta Genetics LLC
Advanta Genetics LLC — a respected CLIA/CAP-accredited clinical toxicology and molecular diagnostics laborator. The exposed material includes: Tens of thousands of real patient lives — including highly sensitive chronic opioid therapy charts flagged by the Texas Medical Board and elderly Medicare audit records. Provider identities and prescribing power — SSNs, DEA numbers, and state licenses from 20+ states that can be turned into black-market "script pads". Gold-standard identity theft kits — W-2s, I-9s with passport scans, and full employee packages for 50+ staff. 102 complete QuickBooks company files exposing every vendor, payroll run, bank link, and financial secret across the Advanta/RedLeaf/OSPRI empire. High-value trade secrets — OSPRI Biopath investment decks, valuation models, FDA pre-submission packets, and the proprietary "The Brain" AI diagnostic architecture. Explosive privileged attorney-client memos on active regulatory battles (Texas Medical Board Remedial Plan #19-153 and a federal NORA subpoena). Active Directory domain controller data (NTDS.dit and SAM hives).
Baresque Group
Baresque Group — a respected commercial-interiors company headquartered in Perth, Australia, with offices in Dallas, Chicago, and Brussels.
The exposed material includes:
100+ passport scans, 35 birth certificates, 60+ driver's licences, 50+ TFN declarations — the complete identity-theft toolkit for the entire workforce, spanning Australia, the US, and Europe.
Plaintext credentials for every critical system — Microsoft 365, HR platform (Elmo Talent), remote-access gateway (LogMeIn), phone system (3CX), ERP (Jim2) — all in browser-export CSVs and an enterprise-wide Password_Listing.xls that had been sitting on a shared drive since at least 2017.
4 TLS private keys for customer-facing domains — enabling impersonation of the company's websites.
343 GB of product R&D — SolidWorks CAD files, manufacturing specifications, and product blueprints for Zintra acoustic panels, FUNC furniture, botton+gardiner wallcoverings, and Scribblr surfaces. The complete design library.
Two years of board packs, financial reports, and cash-flow models — the company's entire strategic and financial position laid bare.
Privileged legal documents — active subpoena files, sworn affidavit exhibits, Fair Work Australia tribunal filings, and settlement agreements with confidentiality clauses.
Workers compensation medical records naming specific employees with diagnoses, treatment plans, and claim amounts.
Cheval Blanc Randheli
Guest Passport Scans — 75,855 Files, 10 Years
The single largest data category: 75,855 passport scan images spanning January 2015 through October 2024, organised in daily folders within monthly and yearly directories. These represent an estimated 20,000–30,000 unique guests. Each scan contains the full passport bio page: photo, full name, date of birth, nationality, passport number, machine-readable zone (MRZ), and signature.
Among the exposed passports:
Qatar Royal Family members — 9 passport scans including Muhammad Mesned S M Al-Misned, Abdulla, Khalifa, Lolwa, Nasser, Alanoud, Bessy, and Mesned
UAE VIP and government officials — including H.E. Ahmed Saif Ali Aldhabea Aldarmaki, H.E. Matar Suhail Ali Alyabhouni Aldhaheri, and members of an April 2024 private buyout group who arrived on private jets (tail numbers A6AUH, A6DAH)
LVMH head-office executives — 7 passport/profile photos including named senior staff from Paris
Guest PMS Data — 30,000–50,000 Profiles
Opera PMS exports containing full names, home addresses (street-level), nationalities, VIP classification levels (A/B/C/G), partial credit card data (last-4 digits + expiry + card type), deposit amounts, booking confirmation numbers, stay histories, travel agent details, flight numbers, and guest preferences.
Employee Records — 1,000–2,000 Individuals
Ten years of salary records (2017–2026), medical insurance claims organised by department, ~200 ECARD ID photos, vacation/leave records, Key Management Personnel (KMP) compensation details, and biometric enrollment data from the Gladis facility-access system.
Credentials and Infrastructure
BitLocker recovery key — full disk-encryption key for the Windows server volume
Passwords.docx — plaintext system password store covering revenue, PMS, and operational systems
Extranet passwords — booking-portal and vendor credentials
3CX VoIP backup — SIP credentials, extension configurations, call routing rules
Biometric templates (Gladis enrollment) — non-rotateable fingerprint/facial data
Corporate-Sensitive Documents
Management Contract of Cheval Blanc Randheli — the LVMH–property owner agreement containing fee structures, performance benchmarks, and brand license terms
Board investment recommendation for Velidhoo — a potential new property with capital allocation and return projections
10 years of budgets and revenue forecasts
Audited subsidiary financial statements (I&T / Sitax entities)
White Book — the property's operational standards manual (proprietary LVMH brand IP)
Building Management System data — HVAC, power, desalination, and lighting control files for island infrastructure
Law Offices of Michael A. Freedman, P.A. (maflaw.com)
Law Offices of Michael A. Freedman, P.A. (maflaw.com). The exfiltrated corpus is 579 GB used / 143 GB at root level / 196,701 files / 19,231 directories, dated as recently as a year-2026-in-progress client matter.
What this means for a plaintiffs' PI firm of ~25 staff:
656 client-matter folders organised across eight yearly parents from June 2019 through 2026-in-progress. Per-client medical records, HIPAA authorisations, police reports, settlement releases, IOLTA distribution sheets, retainer agreements, and treating-provider correspondence.
Two staff Outlook archives at 2.1 GB each, plus a 505 MB Outlook backup, plus 27 enumerated .pst files — years of attorney–client privileged correspondence, settlement strategy, opposing-counsel comms.
The complete Sage ACT. Pro v18 contact universe — the live database plus eight historical ZIP backups going back to 2013 plus a 9.3 MB plaintext export (ACT!-Contacts.txt) that any text editor can open. Estimated 5,000–12,000 contacts.
The firm's master credential vault in a Word document called Woodywoody78!.docx (the filename is itself the vault password). Plaintext credentials for M&T Bank multi-identity business + commercial accounts (with electronic-payment-approval authority), Bank of America, Paychex, QuickBooks, and the firm's federal EIN. Plus the senior partner's phone-unlock PIN.
A staff browser-exported password CSV (32 plaintext credentials) including the M365 tenant, the Slack tenant, hospital portals (MedStar, GBMC, Allstate secure mail), MoveDocs, ChartRequest, MSHC Legal portal — plus residual credentials from prior employers SLF Law and Bailey Law, creating cross-firm contamination liability.
The Universal Licensing / Freedman Consulting invention-promotion operation — a second line of business under the same EIN, with hundreds of inventor folders. Per-inventor unpublished invention disclosures, “Internet Presentation of Invention” decks, NDAs, Exclusive Patent License Agreement drafts, patent-art renderings, and per-managed-mailbox client-company passwords.
A criminal-defense sub-practice (“SLF criminal” out of Janice's working folder) with retainer agreements and per-client court documents, carrying 6th-Amendment-attorney–client uplift on the privileged-track scoring.
An Axon evidence.com MPIA-released body-worn-camera package (449 MB total; a 448 MB clip from the 2020-12-20 Park Baltimore incident).
Atlas Metal Industries Inc
Atlas Metal Industries Inc. — a privately held commercial-foodservice-equipment manufacturer headquartered in Miami, Florida.
The dataset is a complete Microsoft Dynamics GP environment: production databases, payroll records, system credentials, Autodesk Vault product-design backups, CNC fabrication programs, and all supporting infrastructure configuration. The exfiltration occurred on or about April 8, 2026; the attack was identified April 22, 2026.
The exposed material includes:
15.8 GB of payroll-records database (PYREC) — full Employee Master with SSNs, DOBs, addresses, direct-deposit bank routing numbers, salary, W-4 tax data, garnishments, and check history dating to at least 2018.
30+ SQL Server login accounts with password hashes in a sp_help_revlogin dump — named employees, system admins (DYNSA, sa), service accounts, and Active Directory domain accounts.
74 GB of Autodesk Vault Professional backup — complete product-design history from 2019 through 2026, covering every product line Atlas Metal manufactures.
Hundreds of CNC fabrication programs — laser-cutter and Amada punch-press G-code for the full catalogue of sheet-metal components.
A base64-encoded SQL credential for the TimeClock Plus timekeeping system, stored in plaintext XML.
8 SQL Server databases with full backup chains — ATLAS (primary), PYREC (payroll), DYNAMICS (system), TEST (18 GB dev clone), TWO, AMIT, plus system databases (master, msdb, DynamicsGPSecurity).
