Stolen, Weaponized, and Sold: Real Stories of Data Extortion Attacks

May 14, 2026

Data theft extortion, as the name suggests, occurs when a hacker unlawfully gains access to an organization’s sensitive data or systems and then demands payment in exchange for restoring access or halting the attack. More broadly, extortion encompasses any scenario in which a threat actor demands compensation to cease malicious activity.

Organizations can fall victim to these attacks in several ways, including data breaches, exploitation of system vulnerabilities, and social engineering tactics that deceive employees into granting unauthorized access. While companies continue to strengthen their defenses, attackers are simultaneously evolving their methods, often becoming more sophisticated and escalating their tactics.

This blog explores several well-known data theft extortion incidents, examining how they were carried out and how organizations responded.

Vastaamo Data Breach

In October 2020, hackers contacted 40,000 patients from the Finnish psychotherapy provider Vastaamo, demanding €200 in bitcoin within 24 hours, followed by €500 within an additional 48 hours, threatening to release their personally identifiable information (PII) and therapy records if they refused to pay. Prior to the emails, Vastaamo had refused to meet the hackers’ demand when they received a ransom of €450,000 in bitcoin. In the initial response, the hacker posted 300 patient transcripts in a public forum. Eventually, a 10-gigabyte data file appeared on dark web sites containing private notes between at least 2,000 patients and their therapists.

The information was obtained due to the company’s inadequate security practices. Sensitive data belonging to patients was not encrypted or anonymized. Records were first accessed in 2018, and the security flaws were not fixed until March 2019.

In October 2022, the National Bureau of Investigation identified the suspect in the breach as 25-year-old Aleksanteri Kivimäki. He was subsequently charged in absentia at the Helsinki District Court with multiple offenses, including aggravated data breach, attempted aggravated extortion, aggravated distribution of information violating private privacy, blackmail, breach of confidentiality, and falsification of evidence. He was eventually convicted and sentenced to six years in prison. The attack prompted the Finnish government to implement enhanced security measures to safeguard citizens’ data, while also providing support to victims and introducing new legislation addressing data theft and extortion.

Salesforce Breach

In late 2024, the threat actor group Scattered Lapsus$ Hunters (SLH) gained access to corporate Salesforce data by using social engineering techniques, specifically vishing (voice phishing). Between March 2025 and June 2025 attackers gained access to Salesloft’s corporate GitHub account. Salesloft is a sales engagement platform featuring an AI chatbot, Drift, which integrates with Salesforce and other applications. After compromising the GitHub account, the attackers downloaded content from multiple repositories, created their own user within the organization, and established custom workflows.

On October 03, 2025,SLH launched a data leak Tor site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. The group set an October 10 deadline for Salesforce to pay the ransom, or for potentially affected companies to contact the group to secure their data. Salesforce refused to negotiate with the threat actors, believing their threats were unsubstantiated and offered support to any of their affected clients.

While the group had threatened to release all information if their demands were not met, eventually they only leaked data from six companies. The victims included Albertsons, Engie Resources, Fujifilm, Gap, Qantas, and Vietnam Airlines. Qantas and Vietnam Airlines each had more than five million customer records exposed.

Jaguar Land Rover Cyberattack

The automobile manufacturer, Jaguar Land Rover (JLC), disclosed in September 2025 that they had been victim to a cyberattack that “severely disrupted production activities”. The attack began on August 31 leading JLC to halt production the following day, and by September 22 the disruption had forced a complete shutdown of its production lines for three weeks, with employees instructed to remain at home.

The threat actor Scattered Lapsus$ Hunters (SLH) took responsibly for the attack via a Telegram channel. JLC has not released details on how the information was compromised, but SLH has typically used social engineering campaigns to attack its victims.

The type of extortion used by SLH has not been released to the public but eventually the UK Government had to step in and loan JLR £1.5 billion. Without the loan, the government claimed that people will be “laid off in the thousands”. Based on the latest financial results released by JLR, the cyberattack had a substantial impact on its profitability. The company reported a loss before tax and exceptional items of £485 million in Q2 and £134 million for the first half, compared with profits of £398 million and £1.1 billion, respectively, during the same period last year. The government later referenced the attack and loan when outlining reasons for the country’s weak GDP in Q3 2025.

Oracle E-Business Suite

Corporate executives experienced an extortion campaign following Oracle E-Business Suite’s (EBS) data breach. The ransomware group Clop sent emails to multiple executives claiming their data was stolen from Oracle’s EBS systems. In the email the group claims they successfully infiltrated the system and exfiltrated sensitive data. Their email begins with a blunt introduction, identifying themselves and suggesting the victim verify their reputation online.

The group goes on to state that they have copied “a lot of documents,” including private files and other confidential information, which they now claim to control. Rather than focusing on system disruption alone, the attackers emphasize data possession. The threat escalates if payment is refused. The group warns that stolen data will be distributed, either sold to other malicious actors or publicly released through their own channels, including blogs and torrent platforms. This dual-threat approach (financial loss combined with reputational damage) is a hallmark of modern ransomware campaigns.

Organizations affected by the attacks included Logitech, Harvard, Envoy Air, the United Kingdom’s National Health Service and The Washington Post. Clop is known for carrying out large-scale, carefully coordinated extortion campaigns that target organizations across multiple industries and regions, aiming to exploit vulnerabilities and extract data from many victims simultaneously rather than focusing on a single sector or location.

How to Protect Your Business

If your business was victim to a data breach or extortion incident, consider taking the following steps:

  1. Secure Operations
    Act quickly to contain the breach by securing systems, fixing vulnerabilities, locking affected physical areas, and mobilizing a response team with forensics, legal, and technical experts to investigate the cause and scope. Stop further data loss by taking affected equipment offline (without powering down), monitoring access points, replacing compromised systems if possible, and updating all credentials to prevent continued unauthorized access.
  2. Fix Vulnerabilities
    Work with forensic experts to assess the breach: check encryption, review backups and logs, identify who had and still has access, and limit it if unnecessary. Determine what data was compromised, how many people were affected, and whether you can contact them. Examine who (within and outside) your organization has access to information and examine if privileges need to be changed.
  3. Notify Appropriate Parties
    Determine legal requirements as some states have specific laws and regulations regarding who needs to be notified. Additionally, law enforcement can aid in the investigation process and should be notified shortly after initial discovery.

Curious how DarkOwl can help? Contact us.

Explore the Products

Button Product Vision
Vision UI ›
Button Product Search
Search API ›
Button Product Entity
Entity API ›
Button Product Score
DarkSonar API ›
Button Product Score
Score API ›
Button Ransomware API
Ransomware API ›
Button Product Datafeeds
Datafeeds ›

See why DarkOwl is the Leader in Darknet Data

Get a Demo
Get a Demo

Products

Services

Use Cases

Company

Copyright © 2026 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.