AkzoNobel, the Dutch multinational paint manufacturer, confirmed on March 2, 2026, that it fell victim to a ransomware attack by the Anubis ransomware group. The attackers stole 170 gigabytes of sensitive data—spanning approximately 170,000 files—from a U.S. facility. The compromised files include passport scans of employees, confidential client agreements, non-disclosure agreements from customers and suppliers, private email correspondence with contact information, material testing documents, internal technical specifications, financial reports, and legal documentation.
The company states the incident has been contained with limited impact, and it is notifying affected parties. This article examines what happened, who was behind the attack, what data was stolen, why it matters, and what the breach reveals about corporate cybersecurity risks in 2026. The AkzoNobel breach underscores a critical vulnerability: even large, established industrial companies with global operations remain attractive targets for organized cybercriminals. The attack was claimed by Anubis, a relatively new ransomware-as-a-service operation that launched in December 2024 and has rapidly expanded its attack surface by recruiting affiliates through an 80% profit-sharing model. This business model incentivizes attackers to hit larger targets and extract maximum value, making companies like AkzoNobel increasingly vulnerable regardless of their size or resources.
Table of Contents
- What Data Was Stolen in the AkzoNobel Ransomware Attack?
- Meet Anubis: The Ransomware Group Behind the AkzoNobel Attack
- Why Was AkzoNobel Targeted, and What Is the Scope of the Breach?
- Why Stolen Passports and Confidential Agreements Matter
- The Growing Threat of Ransomware-as-a-Service Operations
- What AkzoNobel Is Doing to Respond
- What This Breach Means for Corporate Cybersecurity in 2026
- Conclusion
What Data Was Stolen in the AkzoNobel Ransomware Attack?
The stolen dataset encompasses multiple categories of sensitive information, each posing distinct risks to affected individuals and the company. Passport scans represent a high-value target for identity theft, allowing criminals to forge travel documents, open fraudulent accounts, or sell the data to organized crime networks. Confidential agreements with high-profile clients and NDAs from customers and suppliers reveal business relationships, pricing terms, contract structures, and proprietary dealings—information competitors would pay for and that could undermine AkzoNobel’s negotiating position in future deals. Private email correspondence combined with harvested contact information (email addresses and phone numbers) creates a foundation for spear-phishing, credential harvesting, and social engineering attacks against employees and business partners.
Beyond identity theft and corporate espionage risks, the theft of material testing documents, technical specification sheets, and internal financial reports represents both operational and competitive damage. Testing documents and specifications are often tightly guarded intellectual property; releasing them could reveal manufacturing processes, material formulations, or quality standards that competitors or customers might exploit. Financial overviews and reports expose revenue streams, profit margins, cost structures, and investment decisions—data that affects stock price, negotiating leverage, and strategic planning. The presence of legal documents suggests exposure of litigation histories, settlement terms, regulatory violations, or compliance issues that could attract regulatory scrutiny or civil actions.
Meet Anubis: The Ransomware Group Behind the AkzoNobel Attack
Anubis is a relatively young ransomware-as-a-service (RaaS) operation that launched in December 2024, positioning itself in an increasingly crowded marketplace of cybercriminal collectives. The group distinguishes itself through an aggressive affiliate recruitment strategy, launching a formal affiliate program on the RAMP underground forum in February 2025 and offering affiliates 80% of successfully paid ransoms—a generous cut designed to attract experienced attackers and maximize the group’s operational reach. This financial incentive structure means Anubis affiliates are heavily motivated to target large organizations, extract sensitive data, and pursue aggressive ransom negotiation tactics.
RaaS operations function like legitimate software companies but for criminal activity: the operator provides the ransomware tools, negotiation infrastructure, payment processing, and data hosting, while affiliates focus on initial compromise and lateral movement. By outsourcing the attack execution to affiliates, Anubis can simultaneously target multiple victims and rapidly expand its victim portfolio. The success of its February 2025 affiliate launch program correlates with the significant uptick in Anubis activity throughout March 2026, suggesting the recruitment strategy is working. However, law enforcement and cybersecurity firms track these operations closely; the exposure of group membership lists and leaked chats has historically led to arrests, sanctions, and operational disruption, so joining and working with new RaaS groups carries inherent legal risk for individual affiliates.
Why Was AkzoNobel Targeted, and What Is the Scope of the Breach?
AkzoNobel was targeted because it represents an ideal victim profile for ransomware attackers: a large, established, publicly traded multinational company with billions in annual revenue, sophisticated IT infrastructure worth protecting, and strong incentive to pay rather than lose operational continuity. The company’s global paint and coatings business spans construction, industrial, decorative, and specialty segments, making business interruption extremely costly. Large organizations also typically carry comprehensive cyber insurance, which can subsidize ransom payments. However, a critical detail limits the damage: the breach affected only a single U.S. facility, not the entire AkzoNobel network or global operations.
This geographic limitation is significant because it suggests the attackers either achieved only partial network access, were detected and contained before expanding laterally, or the facility’s security architecture isolated it effectively. For affected employees and business partners connected to that U.S. location, however, the damage is serious: passport and contact information exposure creates individual identity theft and phishing risk. For AkzoNobel itself, loss of that facility’s confidential agreements and supplier NDAs is damaging but potentially containable—customers and suppliers have specific contractual relationships they would pursue separately if needed. The company’s statement that impact is “limited” should be interpreted carefully; for the organization, it may be true, but for the hundreds or thousands of individuals whose personal data was exposed, the risk is substantial.
Why Stolen Passports and Confidential Agreements Matter
When attackers steal passport scans combined with personal email addresses and phone numbers, they’re acquiring the foundational data needed to commit identity theft. A criminal with a high-quality passport scan, email access through credential reset, and phone number can often convince banks, payment processors, and government agencies that they are the legitimate account holder. Compared to generic data breaches that expose millions of records to low-probability fraud, targeted theft of specific individuals’ passports creates immediate, high-confidence identity theft risk. An AkzoNobel employee discovered to be in the breach should assume their identity may be at risk and monitor credit bureaus, financial accounts, and passport agencies for fraudulent activity. Confidential client agreements and NDAs are equally damaging but for different reasons.
These documents establish the terms under which AkzoNobel provides products and services—pricing, volumes, delivery schedules, quality standards, and termination clauses. Competitors gaining access to a client’s agreement can undercut pricing, match service terms, and poach business. Customers and suppliers whose NDAs appear in the breach face the knowledge that their agreements with AkzoNobel (and potentially other vendors referenced in those documents) are now exposed to competitors, regulators, or the broader criminal marketplace. Some organizations may contractually require AkzoNobel to notify them and provide credit monitoring services; failure to do so could trigger additional lawsuits. The financial testing documents and specifications similarly represent competitive intelligence: if a competitor obtains AkzoNobel’s material testing results, they can reverse-engineer formulations, identify cost-saving opportunities in manufacturing, or avoid design pitfalls AkzoNobel has already discovered.
The Growing Threat of Ransomware-as-a-Service Operations
Ransomware-as-a-service represents a fundamental shift in cybercriminal operations. Rather than requiring a single group to build malware, conduct reconnaissance, negotiate with victims, and launder payments, RaaS separates these functions. Specialized criminals handle tool development and infrastructure, while less-skilled attackers—or those lacking the negotiation nerve required for high-stakes ransom demands—can purchase access and conduct attacks. This democratization of ransomware has led to a dramatic increase in attack volume, victim diversity, and ransom amounts demanded. However, RaaS operations also create new vulnerabilities for the criminals themselves: the public presence of operators on forums, the need to maintain reliable payment infrastructure, and the coordination required among affiliates create numerous points where law enforcement can intercept, identify, or disrupt operations.
Anubis’s rapid growth following its February 2025 affiliate launch illustrates this trend. In under two months, the operation moved from a startup to a mature actor with enough operational capacity to target multinational corporations. This speed is possible because the tool already existed, the infrastructure was already built, and the operator simply needed to recruit and manage affiliates. For defenders, this creates a strategic problem: the traditional approach of waiting for a vulnerability to be patched or for security tools to detect a known malware variant is less effective when dozens of different affiliates are launching attacks using variations of the same tools. A limitation of publicly available information is that most RaaS operations eventually collapse due to law enforcement action, internal conflicts, or operational security failures—so Anubis’s current activity level may not persist indefinitely. Nevertheless, even if Anubis is disrupted, the business model it represents is now proven and will likely be replicated by other groups.
What AkzoNobel Is Doing to Respond
AkzoNobel’s public response has focused on containment and notification. The company confirmed the attack, stated that the affected U.S. facility’s systems have been secured, and indicated it is taking appropriate steps to notify and support impacted parties. The company has not disclosed whether it paid a ransom, negotiated with the attackers, or involved law enforcement directly—common practice is to avoid public ransom disclosure to discourage future demands.
For affected employees and business partners, “appropriate steps to notify and support” typically means direct notifications, credit monitoring services for two or more years, and potentially identity theft insurance. However, the absence of any public disclosure about how the attack occurred, which security controls failed, or what remediations were implemented leaves significant questions unanswered. Did the attacker exploit a known vulnerability? Were credentials compromised? Did the facility lack proper network segmentation? Was endpoint detection and response (EDR) software deployed? These details matter because AkzoNobel’s customers and suppliers need to assess their own risk from having done business through a compromised facility. The company’s focus on containment and support is legally and contractually necessary, but transparency about attack vectors and remediation measures would build confidence more effectively than a generic statement about limited impact.
What This Breach Means for Corporate Cybersecurity in 2026
The AkzoNobel breach is emblematic of a critical gap in industrial and manufacturing cybersecurity. These sectors are often viewed as less attractive to cybercriminals than finance or technology companies because their victims lack the digital sophistication to quickly pay ransoms or have strong cyber insurance. However, the reality has shifted: large industrial companies now carry substantial cyber insurance, have complex supply chains with leverage points, and store high-value intellectual property alongside employee and customer data. Anubis and other RaaS operations have identified these organizations as lucrative targets, and the 80% affiliate profit-sharing model ensures constant pressure to find and exploit vulnerabilities.
Looking forward, organizations similar to AkzoNobel—large industrial companies with facilities in multiple countries, complex networks, and sensitive data—should expect an increase in targeted attacks. The volume of data stolen (170GB) suggests the attackers had access for extended periods, likely weeks or months, which indicates detection and response capabilities may have lagged. The emphasis on personally identifiable information (passports and contact details) alongside business data suggests the attackers understood the dual value proposition: ransom leverage against the company plus direct sale of personal data to criminal markets. Defending against this threat requires not just better intrusion detection, but also mature incident response planning, regular backup testing, network segmentation to limit lateral movement, and supply chain security measures to ensure vendors and partners aren’t weak links in the network perimeter.
Conclusion
AkzoNobel’s confirmation of a 170GB ransomware attack by the Anubis group represents a significant breach of employee personal data, business confidentiality, and intellectual property. The stolen information—spanning passport scans, confidential client agreements, NDAs, technical specifications, and financial reports—poses immediate identity theft risk to affected employees and competitive intelligence risk to the company. Anubis, a recently launched ransomware-as-a-service operation that expanded dramatically after launching an affiliate recruitment program in February 2025, is demonstrating that even well-established large organizations remain vulnerable to sophisticated extortion attacks.
Organizations affected by or concerned about similar threats should prioritize network segmentation to contain breaches to specific facilities, implement mature endpoint detection and response capabilities, maintain offline backups, and develop clear incident response plans that balance ransom negotiation, law enforcement coordination, and victim notification. For AkzoNobel employees and business partners identified in the breach, immediate steps should include credit monitoring enrollment, password resets for connected accounts, and vigilance against phishing and social engineering attempts targeting them specifically by name. The broader lesson is that ransomware-as-a-service has matured into a reliable revenue model for organized crime, and companies across all sectors now face sustained, well-resourced threats requiring comprehensive defense strategies.