A hacker known as “Rey,” affiliated with the Hellcat ransomware group, claims to have stolen 106 GB of internal data from Spanish telecom giant Telefónica on 30 May 2025, threatening full public release unless demands are met. This incident suggests a follow-up breach after the January 2025 Hellcat attack and raises concerns about lingering misconfigurations in critical internal systems-matters of immediate interest in cybersecurity services and security circles globally.
- Late May 2025: Hellcat-associated hacker “Rey” claims 12-hour uninterrupted access to Telefónica’s internal Jira server due to a misconfiguration that followed a prior breach.
- 30 May 2025: Alleged date of data exfiltration 106.3 GB spanning 385,311 files, including internal communications, purchase orders, logs, customer and employee records.
- Early July 2025: A 2.6 GB sample leak (5 GB unpacked, ~20,000 files) is shared with media, containing employee emails and invoices across Europe and Latin America.
Telefónica’s Position
- Telefónica O2 personnel told BleepingComputer that the leaked data is old, not indicative of a new breach.
- The most recent timestamp in leaked files dates to 2021, supporting their claims of a past incident. Yet “Rey” maintains the data came from the May breach and continues leaking parts to pressure Telefónica.
Regional Resonance: Implications for MEA
MEA Regulatory Context
- In the Middle East and Africa, regions prioritizing regulatory compliance (e.g., UAE’s NESA, South Africa’s POPIA), this incident highlights the risk posed by neglecting internal system security—even after an incident has seemed resolved.
- Telecom operators in the region frequently deploy Jira and internal ticketing systems; the Telefónica case highlights a sector-wide attack surface.
Potential MEA Exposures
- Multinational telecoms headquartered or operating in the MEA region might share similar internal systems and codebases—misconfigurations could echo across borders.
- Data involving MEA customers or employees (e.g., issuing invoices across Latin America and Europe) suggests that files could include MEA-linked data, though specific inclusion is not yet confirmed.
Global Context & Precedent
Hellcat’s History
- Hellcat previously breached Telefónica in January 2025, stealing ~2.3 GB from its Jira system via compromised credentials.
- The group also targeted Schneider Electric, exfiltrating 40 GB in November 2024, showcasing their designature of exploiting Jira misconfigurations.
Emerging Leak-Drop Strategy
- Hellcat’s tactics now include public sample releases as proof-of-breach, combining extortion-like pressure with stealth data dumps—reflecting a wider shift in ransomware/ leakware models used by groups like Clop and LockBit.
Technical Analysis (MITRE ATT&CK)
| Phase | Technique | TID |
|---|---|---|
| Initial Access | Valid Accounts (stolen credentials) | T1078 |
| Execution | Unauthenticated Access to Internal Jira | T1190 |
| Discovery | Internal Ticketing System Discovery | T1083 |
| Collection | Data from Information Repositories | T1213 |
| Exfiltration | Automated Exfiltration via Cloud Storage | T1048 |
| Impact | Data Disclosure (public/scheduled leak) | T1491 |
IOCs: Shared sample files (~20,000 files) include metadata with .~2021 dates; threat actor hosting became known via PixelDrain and Kotizada links flagged unsafe by Chrome
Expert & Official Reactions
Cybersecurity Community
“Hellcat’s tactic of sifting old data while claiming recency is calculated to undermine trust—even old data proves glaring config failures.” – Mitchell Langley, Security Analyst
“A 12‑hour misconfigured Jira window speaks volumes about persistent gaps post‑incident.” – Antonio Fernandes, CISO (Spain) (bleepingcomputer.com)
Telefónica
- Telefónica acknowledges January breach and confirms an internal server incident; but to date disclaims a fresh breach, attributing the current claims to extortion tactics based on old data
Actionable Takeaways for Defenders
- Audit and Lockdown Jira Instances: Enforce strict authentication, network whitelisting, and MFA on internal ticketing systems.
- Immediate Misconfiguration Detection: Regularly scan essential internal systems (like Jira) for hardening gaps.
- Credential Handling Hygiene: Rotate credentials and remove stale privileged accounts post-incident.
- Network Segmentation: Isolate internal dev systems from the wider enterprise network.
- Monitor Exfil Outputs: Watch for traffic to cloud storage endpoints like PixelDrain or Kotizada.
- Deploy EDR and UBA: Look for unusual file exfil operations or abnormal access spikes.
- Data Leak Follow-Up: Even old leaks can be repurposed; patch and harden swiftly.
- Incident Response Update: Include leak-timing and public proof-threat scenarios in tabletop exercises.
- Boost External Monitoring: Track dark web, hacker forums, and social channels for leak announcements.
- Prepare Communications: Have crisis messaging ready to manage disclosure and dispel extortion narratives.
Conclusion
The threatened release of 106 GB of Telefónica data underlines the precariousness of internal systems even those thought secured post-incident. For CISOs, SOC leaders, and MEA-based telecom operators, this is a wake‑up call to rethink incident response, system hardening, and threat monitoring. Whether the data is new or recycled, legacy vulnerabilities can still cripple trust and reputation. Immediate audits and stronger controls are vital to closing these dangerous gaps.
Sources
- BleepingComputer – “Hacker leaks Telefónica data allegedly stolen…” (4 Jul 2025)
- Cybernoz – Mirror coverage (4 Jul 2025)
- Undercode News – Analysis of claim and silence (Jul 2025)
- Daily Security Review – Employee impact & Malware insight (5 days ago)
- SentryBay, TechRadar, ThaiCERT, others on January breach
