SYS::ONLINE
Wasteland.
Briefs1238
Issues19
SinceFeb 2026
LIVE
█ Ransomware DANONE-QILIN-RANSO 2026-07-18

Danone: Qilin Ransomware Data Leak

"French multinational food and beverage giant Danone, the maker of Evian water, International Delight creamer, and Silk almond milk, has been claimed by the Qilin ransomware gang. The Russian-linked group listed Danone…"

French multinational food and beverage giant Danone, the maker of Evian water, International Delight creamer, and Silk almond milk, has been claimed by the Qilin ransomware gang. The Russian-linked group listed Danone on its dark web leak site earlier this week, asserting it exfiltrated 221 GB of data, or 91,558 files, from the conglomerate's internal servers. The claim was surfaced and verified by Cybernews, which was able to view a sample proof pack posted by the attackers. Danone had not responded to inquiries at the time of the original report.

What Happened

Qilin, one of the most prolific ransomware operations active today, added Danone to its extortion leak site within the past week. The gang claims to have stolen a massive cache of 91,558 files totaling 221 GB from the company's internal infrastructure. As is typical for a double-extortion play, the listing serves as public pressure, signaling that data has already been taken and threatening full publication if a ransom demand goes unmet.

The attackers did not explicitly enumerate the full scope of data types they allegedly hold. To lend credibility to the claim, however, they posted a sample of six files. Cybernews reviewed that proof pack and confirmed it contained legitimate-looking corporate documents, dating from 2023 through 2025, consistent with material pulled from a corporate file environment.

Danone is a substantial target. According to the company, it operates more than 180 production facilities across 55 countries and employs over 90,000 people. In the US alone, the firm runs 13 manufacturing facilities, an R&D center, and two headquarters, including a major regional hub just outside New York City.

What Was Taken

Based on the six-file sample the gang published, the stolen material appears to span sensitive financial, commercial, and legal records. The proof pack included:

While six files is a tiny fraction of the claimed 91,558, the categories they represent are significant. Financial summaries expose internal performance data. Customer account databases and sales reports carry commercial intelligence and potentially personal or contractual information about business partners. NDAs and confidentiality agreements can reveal third-party relationships and legal obligations, expanding the blast radius beyond Danone itself. The full 221 GB set, if genuine, almost certainly contains far more sensitive records than the curated sample suggests.

Why It Matters

The food and beverage sector sits at the intersection of critical infrastructure and complex global supply chains, making it an attractive and high-leverage target for extortion groups. A disruption or data leak at a company of Danone's scale ripples outward to retailers, distributors, and business customers named in the stolen contracts and sales reports.

Qilin's involvement raises the stakes further. First identified by researchers in 2022, the group earned the title of most active ransomware gang of 2025 and has held that top spot through the first half of 2026. According to Cybernews' Ransomlooker surveillance tool, Qilin listed more than 1,000 victims in 2025 and has already claimed over 700 additional victims by mid-July 2026. This is not an opportunistic one-off; it is an industrial-scale extortion operation with a demonstrated willingness to publish.

The gang's recent targeting history underscores its reach and appetite for high-impact data. Last month it claimed 1-800-Dentist, threatening to leak the health data of millions of users of the US dental referral service. In the first half of the year it also claimed two New York-centric organizations: the Shipping Association of New York and New Jersey, which operates one of North America's busiest ports, and TWU Local 100, a union representing more than 67,000 active and retired transit workers.

The Attack Technique

Neither Qilin nor Danone has disclosed the initial access vector for this specific incident, and the report does not confirm how the intrusion occurred. That gap is common at this stage, when the claim is fresh and the victim has not yet issued a statement.

Qilin's broader operating model provides context for defenders. The group runs a ransomware-as-a-service program, meaning affiliates carry out intrusions using a range of techniques. Historically, ransomware affiliates gain entry through phishing, exploitation of internet-facing vulnerabilities, compromised or reused credentials, and access purchased from initial access brokers. The double-extortion pattern seen here, where large volumes of files are exfiltrated before any encryption or public listing, points to an actor that spent time inside the network moving laterally and staging data for theft. Until Danone or investigators publish findings, the specific entry point remains unconfirmed.

What Organizations Should Do

Sources: Qilin ransomware claims global food giant Danone, leaks 90,000 files