UK enterprise software consultancy The Adaptavist Group has confirmed a security breach after an intruder used stolen credentials to access internal systems in late March 2026. While the company describes the exposure as limited to "typical business data," a ransomware crew calling itself "The Gentlemen" claims a far larger haul, including source code for the firm's ScriptRunner product and hundreds of thousands of customer records. The incident has already spawned impostor correspondence targeting Adaptavist's partners and clients.

What Happened

CEO Simon Haighton-Williams disclosed in an open letter to customers that Adaptavist detected an "IT security incident" in late March after an attacker logged in with compromised credentials. External incident response specialists have been engaged and a forensic investigation is underway. Adaptavist operates in the Atlassian ecosystem, building services and add-ons around Jira, Confluence, and related platforms, giving any compromise potentially wide downstream reach. Compounding the fallout, an unidentified third party has been sending "misleading correspondence" to customers and partners impersonating the breach response, forcing the company to issue warnings about the imposter activity.

What Was Taken

Adaptavist's official position is that the accessed systems contained only routine business-card-grade data: names, business email addresses, job roles, contact numbers, organizations, along with contracts and NDAs tied to client engagements. The Gentlemen tell a different story on their dark web leak site, claiming a "complete infrastructure compromise" encompassing hundreds of thousands of alleged customer records, source code for products including ScriptRunner, internal documentation, and access to production systems. The gap between the two narratives is significant, and the forensic timeline has not yet caught up with the extortion claims.

Why It Matters

Adaptavist sits in a sensitive position as a trusted build and services partner for thousands of enterprise Atlassian customers. If the ransomware crew's claim of stolen ScriptRunner source code is accurate, the downstream risk extends well beyond Adaptavist itself, given ScriptRunner's deep administrative footprint in Jira and Confluence environments around the world. Stolen contracts, NDAs, and contact directories also provide high-quality targeting data for follow-on phishing, a risk already materializing in the impostor emails now circulating. The incident reinforces a recurring theme: breaches of supply-chain and integration partners cascade into their customers' threat models.

The Attack Technique

According to Trend Micro, The Gentlemen are a relative newcomer to the ransomware scene with a disciplined playbook: gain entry using valid credentials, move quietly through the environment, exfiltrate data, then use it as leverage. That pattern lines up with Adaptavist's own description of the intrusion as a stolen-credential login rather than an exploit of a zero-day or public-facing vulnerability. No initial access broker attribution, specific malware family, or encryption deployment has been confirmed publicly, and Adaptavist has not characterized the incident as a ransomware event in its communications.

What Organizations Should Do

• Adaptavist customers should review any ScriptRunner automations, service accounts, and API tokens tied to their Atlassian environments and rotate credentials where appropriate.
• Warn staff and procurement teams about the confirmed impostor correspondence campaign and verify any inbound communication referencing the breach through out-of-band channels.
• Enforce phishing-resistant MFA across all SaaS admin consoles and vendor portals to blunt stolen-credential attacks of the type used here.
• Audit third-party and consultancy access into Jira, Confluence, and production systems, pruning dormant accounts and scoping permissions to least privilege.
• Hunt for anomalous logins from Adaptavist-associated IP space or user agents in the late March through April window, particularly in integrations using shared service accounts.
• Treat contracts, NDAs, and contact directories as potentially exposed and prime material for targeted social engineering over the coming weeks.

Sources: Adaptavist Group breach: Ransomware crew claims mega-haul