AkzoNobel
Analysis of the Anubis ransomware attack on AkzoNobel where the group claims to have stolen 170GB of data including passport scans and confidential agreements from the global paints and coatings manufacturer.
Published by the Scrutex.ai Research Team | March 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
AkzoNobel
Dutch multinational company specialising in paints and coatings, operating in over 150 countries with annual revenue exceeding $12 billion. Known for brands including Dulux, International, and Sikkens.
Sector
Manufacturing / Chemicals
Region
Netherlands
Date of Incident
March 2026
Date Disclosed
March 2026
Estimated Impact
170GB of data allegedly stolen
Data Types Exposed
Confidential agreements, email addresses, phone numbers, private emails, passport scans, internal technical documents
Attack Type
Ransomware
Attack Vector
Anubis ransomware deployment; initial access vector not yet publicly disclosed
Threat Actor
Anubis
Current Status
AkzoNobel confirmed to Bleeping Computer that hackers breached the network of one of its US sites. The Anubis ransomware group claims to hold 170GB of stolen data.
Severity Assessment
High. The allegedly stolen data includes passport scans and confidential business agreements, representing both personal identity theft risk and significant commercial sensitivity. However, AkzoNobel states the compromise was limited to one US site, which may contain the overall impact.
What Happened
The Anubis ransomware group claimed to have stolen 170GB of data from AkzoNobel, the Dutch multinational paints and coatings manufacturer. The allegedly stolen data reportedly includes confidential agreements, email addresses, phone numbers, private emails, passport scans, and internal technical documents.
AkzoNobel confirmed to Bleeping Computer that hackers breached the network of one of its US sites. The company operates in over 150 countries with annual revenue exceeding $12 billion.
Timeline
March 2026
Anubis ransomware group claims to have breached AkzoNobel and stolen 170GB of data
March 2026
AkzoNobel confirms breach of one US site network to Bleeping Computer
Threat Actor Profile
Anubis is a ransomware group that has been active in targeting large multinational organisations. The group follows the now-standard double extortion model: encrypting systems while also exfiltrating data to use as leverage for ransom payment.
Impact and Risk Assessment
For Affected Individuals
Employees or contacts whose passport scans were allegedly stolen face identity theft risk. Passport data combined with other personal details (email, phone number, address) provides a comprehensive identity package for fraud.
For Organisations
The alleged theft of confidential agreements and internal technical documents could expose AkzoNobel’s commercial relationships, intellectual property, and competitive positioning. For a company operating across 150 countries, even a breach limited to one US site may contain data with global business implications.
Regulatory Context
As a Dutch-headquartered company with operations across the EU and US, AkzoNobel faces notification obligations under GDPR for EU-resident data and state-level breach notification laws for US-resident data. The exposure of passport scans may trigger enhanced notification requirements under GDPR given the sensitivity of identity documents.
What Should You Do?
If You Are a Potentially Affected Individual
If you are an AkzoNobel employee or business contact, be alert to phishing attempts that reference specific internal details, projects, or agreements.
If your passport data may have been involved, consider monitoring for identity fraud and contacting your passport-issuing authority for advice.
If You Are a Security or Risk Professional
Review your organisation’s policies on storing passport scans and identity documents digitally. Apply data minimisation principles and consider whether scans need to be retained after initial verification.
Ensure network segmentation limits the data accessible from any single site, particularly for multinational organisations where one compromised location could contain globally relevant data.
Learnings and Recommendations
Passport scans and identity documents stored digitally represent high-value targets that create significant identity theft risk when stolen. Organisations should minimise retention of identity document copies and apply enhanced encryption where retention is necessary.
Multinational manufacturers with operations across 150+ countries face complex breach response obligations when a single site is compromised, as the data at that site may implicate individuals and regulations across multiple jurisdictions.
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.