AkzoNobel Faces Ransomware Breach: Anubis Claims Massive Data Theft from U.S. Facility

By Ashish S
AkzoNobel Faces Ransomware Breach: Anubis Claims Massive Data Theft from U.S. Facility

In early March 2026, AkzoNobel, the Dutch multinational corporation famous for paints, coatings, and specialty chemicals under brands such as Dulux, Sikkens, International, and Interpon, confirmed that it suffered a cybersecurity breach limited to one of its sites in the United States. The incident became public after the Anubis ransomware group listed the company as a victim and published samples of what it claims is stolen data.

Discovery and Claims by Anubis

The breach was first revealed on March 2, 2026, when Anubis added AkzoNobel to its dark web leak site. According to the group, it stole approximately 170 gigabytes of data, consisting of nearly 170,000 files. To demonstrate access, Anubis released preview samples that include folder structures and portions of documents. The types of information reportedly exposed include:

  • Contracts and non-disclosure agreements with clients
  • Internal company emails and business correspondence
  • Employee identification documents including passport scans
  • Financial reports and accounting records
  • Product formulations, material safety data sheets, and technical specifications
  • Contact lists containing email addresses and phone numbers of clients, partners, and employees

The presence of personally identifiable information such as passport details creates serious risks of identity theft and phishing campaigns targeting affected individuals.

AkzoNobel’s Official Statement

On March 3, 2026, AkzoNobel confirmed the security incident in response to questions from cybersecurity journalists. The company issued the following statement:

AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained. The impact is limited, and we are taking the appropriate steps to notify and support impacted parties and will work closely with relevant authorities.

The company emphasized that the compromise remained isolated, did not affect other global locations, and caused no significant disruption to production or business operations. There have been no public reports of files being encrypted across the network or of ransom payments being discussed.

Who Is the Anubis Ransomware Group?

Anubis is a relatively new but increasingly active ransomware-as-a-service operation that gained prominence during 2025 and 2026. It frequently targets organizations in manufacturing, healthcare, education, legal services, and other industries. Attackers typically gain entry through phishing emails, exploitation of known software vulnerabilities, or compromised credentials. After gaining a foothold, they escalate privileges, move laterally through the network, steal large amounts of data, and often deploy ransomware to encrypt files while threatening to publish the stolen information.

In the AkzoNobel case, the lack of reported encryption suggests the attackers may have been focused primarily on data exfiltration and extortion through public leaks rather than full system lockdown.

Potential Impact and Recommendations

The leaked data could lead to several consequences:

  • Identity theft or fraud attempts against employees whose passport scans were exposed
  • Competitive intelligence loss if proprietary product information reaches rivals
  • Increased phishing and social engineering attacks using stolen contact lists and internal correspondence
  • Possible regulatory investigations or fines depending on the jurisdictions involved

AkzoNobel is required to notify affected individuals and organizations under various U.S. state breach notification laws and potentially under GDPR for any European data subjects.

For companies in similar industries, this incident highlights the importance of several security practices:

  • Strong network segmentation between regional sites and central corporate systems
  • Real-time monitoring for unusual outbound data transfers
  • Mandatory multi-factor authentication everywhere possible
  • Regular patching of internet-facing systems and applications
  • Ongoing employee awareness training focused on phishing recognition

Investigations are ongoing to determine the exact method of initial access and the full extent of the compromise. AkzoNobel continues to prioritize containment, communication with stakeholders, and cooperation with law enforcement.

Events like this serve as a reminder that even large, well-established multinational companies remain attractive targets for financially motivated cybercriminals in the current threat environment.

Ashish S
Ashish S
Ashish is a Cybersecurity Student with over 2 years of experience in Cybersecurity Research, Bug Bounty hunting and programming.