Char count on the tweet was over budget, so here is the final output with a tightened tweet.
title: "Ecopetrol: Cyberattack and Data Theft From 3,300 Accounts" date: 2026-07-18 slug: ecopetrol-cyberattack-data-breach
Ecopetrol: Cyberattack and Data Theft From 3,300 Accounts
Ecopetrol, Colombia's largest company and one of Latin America's biggest energy producers, confirmed on Friday that an unidentified external attacker breached its cloud-based file storage systems and stole data tied to roughly 3,300 user accounts. The intrusion spanned approximately 15 subsidiaries, including Ecopetrol itself, and was accompanied by an attempted ransomware attack that the company says its security controls blocked. The attacker has since issued extortion demands and threatened to publicly release the stolen data. Ecopetrol warned it cannot rule out a "material adverse" financial impact.
What Happened
In a statement filed Friday, Ecopetrol SA disclosed that it identified unauthorized access to digital resources belonging to the company and its subsidiaries by an external actor that has not been identified. The unauthorized access targeted cloud-based file storage environments across approximately 15 subsidiaries and resulted in the download of data linked to about 3,300 user accounts.
Alongside the data theft, the company detected and blocked an attempted ransomware attack aimed at the same systems. Ecopetrol says it has activated its incident response protocols and launched an investigation, and that it will disclose further material information as required by law if the situation develops. As of Friday, the company reported no disruption to operations, production capacity, or direct financial results.
What Was Taken
The breach exposed data tied to roughly 3,300 user accounts held within cloud-based file storage systems across some 15 subsidiaries. Ecopetrol has not published a detailed inventory of the specific data types compromised, but file-storage repositories at an integrated energy company of this size typically hold a mix of employee records, contractor and vendor information, internal documents, and operational or commercial files.
The attacker has communicated extortion demands and threatened to publish the stolen data. As of Friday, according to Reuters, none of the data had surfaced publicly, meaning the extortion threat remains active and unresolved rather than executed.
Why It Matters
Ecopetrol is Colombia's largest company and among the largest integrated energy firms in the Americas, employing more than 19,000 people and accounting for more than 60% of the country's hydrocarbon production. It holds leading positions in petrochemicals and gas distribution, and through its majority stake in ISA it is tied to energy transmission and grid operations across the region, including Colombia's real-time grid management system.
The company is listed on both the Colombian Stock Exchange and the New York Stock Exchange, so a confirmed financial or operational impact could carry consequences well beyond Colombia's borders. A breach at a state-controlled operator of critical national energy infrastructure is a national-security concern as much as a corporate one, and it renews long-standing questions about the cybersecurity posture of critical infrastructure providers across the sector.
The Attack Technique
Ecopetrol has not attributed the intrusion to a named threat actor and describes it only as an unidentified external actor. The confirmed elements form a recognizable pattern: unauthorized access to cloud-based file storage, bulk exfiltration of data across multiple subsidiaries, a paired ransomware attempt, and follow-on extortion with a threat to leak.
This double-extortion approach, where data is stolen for leverage and encryption is attempted in parallel, is the dominant playbook among modern ransomware and extortion crews. The fact that data theft succeeded while the ransomware deployment was blocked suggests the attacker gained meaningful access to the storage environment before defensive controls interrupted the encryption stage. The cross-subsidiary scope points to either a shared or federated cloud storage tenancy or reused access that let the attacker pivot across affiliated environments.
What Organizations Should Do
- Audit cloud file storage permissions across all subsidiaries and affiliates, enforcing least-privilege access and eliminating standing broad-access or legacy accounts that enable lateral movement between related tenants.
- Enforce phishing-resistant multi-factor authentication on all accounts with access to cloud storage and administrative consoles, prioritizing service accounts and third-party integrations.
- Deploy data loss prevention and anomaly detection to flag bulk downloads and unusual exfiltration patterns from file storage, which are often the earliest observable sign of an extortion-driven intrusion.
- Segment and isolate subsidiary environments so that access to one entity's cloud resources does not translate into access across the entire corporate group.
- Maintain and regularly test immutable, offline backups, and validate that ransomware-blocking controls (EDR, tamper protection, execution policies) are consistently deployed rather than uneven across business units.
- Prepare an extortion-specific incident response and communications plan in advance, including legal disclosure obligations for dual-listed companies and a decision framework for handling leak threats.
Sources: Ecopetrol Cyberattack: Colombian Energy Giant Says Data From 3...