2 min

Thales Group has announced that Russian-speaking ransomware group LockBit 3.0 has published its data on the dark web. The French defence and electronics giant was hacked in late October.

An archive of 9.5 gigabytes of “data related to Thales” was published overnight on the website of cybercrime gang LockBit, according to an article in Le Monde.

The archive contains data related to Thales contracts and partnerships in Italy and Malaysia, the article says. Thales confirmed that the data had been posted on the hackers’ site, but said that there had been “no intrusion” into the company’s IT system.

“Thales’ security experts have identified one of the two likely sources of the information theft. It was a partner’s account on a dedicated exchange portal that led to the disclosure of a limited amount of information”, said a company spokesperson.

The company added that its teams are working to identify the second source. Thales said that the data leak has “no impact on its business”. Thales provides electronics, software, devices and services to major organizations in the aerospace, defence, transportation and security sectors.

Here’s what’s been leaked

Among other things, the documents posted by LockBit mention a project by Thales and Malaysia-based Novatis Resources to implement aerial surveillance tools for Malaysia’s Kota Kinabalu airport. The documents, dated 2021, mention the project and the monitoring work performed by the company. Other files refer to contracts awarded by Thales in Italy, particularly in Florence, to support an automated ticket sales system for public transport services.

The archive does not appear to contain any personal data belonging to the company’s employees. Earlier this month, LockBit had announced that it had data stolen from Thales and threatened to post it on its website. The hackers then said they planned to publish the data on November 7. When the target date arrived, the hackers’ site posted a message indicating that the data had been published.

The data, however, was not immediately made accessible. The latter made some observers doubt the reality of the attack, according to Le Monde. The stolen files finally appeared on the site on November 11.