On June 3, 2026, the Akira ransomware group claimed responsibility for a cyberattack on Factors Western, a Canadian provider of factoring services. The threat actors threatened to publish a sizable cache of corporate data, including employee and client personal information, passport scans, contracts, financials, and personal data belonging to professional hockey players including Connor McDavid.
What Happened
Akira added Factors Western to its data leak site on June 3, 2026, claiming successful exfiltration of corporate data from the firm's internal environment. In their post, the group described Factors Western's business model, factoring receivables to provide cash flow to clients across multiple industries, and stated that data uploads to the leak portal would follow. The disclosure follows Akira's established double-extortion playbook: encrypt systems, exfiltrate data, then publicly name victims to pressure payment.
What Was Taken
According to Akira's statement, the stolen dataset includes:
- Employee records: names, phone numbers, and passport details
- Client data: personal and contact information tied to factored receivables
- High-profile individual records: personal information on NHL players, with Connor McDavid named specifically
- Contracts and agreements covering factoring arrangements and business relationships
- Financial records, including ledgers and project documentation
- Internal corporate project files
The combination of passport data, financial records, and athlete PII represents a high-value cache for follow-on identity fraud, social engineering, and targeted extortion of named individuals.
Why It Matters
Factoring firms hold an unusually dense concentration of sensitive third-party data: client receivables, debtor information, banking instructions, and underwriting files for hundreds of downstream businesses. A breach at a factoring provider is effectively a supply-chain breach against every client whose invoices and counterparties are managed in those systems. The named exposure of professional athletes adds a reputational and personal-safety dimension that elevates this from a routine corporate incident to a high-visibility case likely to attract media, regulator, and law-enforcement attention in Canada.
The Attack Technique
Akira has not disclosed its initial access vector for this intrusion. Across confirmed 2025 and 2026 cases, the group has consistently relied on compromised VPN appliances lacking multi-factor authentication, exploitation of known edge-device vulnerabilities (notably in SonicWall and Cisco ASA appliances), and credentials sourced from infostealer logs. Post-access, Akira affiliates typically deploy living-off-the-land tooling, abuse RMM software for persistence, exfiltrate via Rclone or WinSCP, and detonate the Akira encryptor on Windows and ESXi hosts.
What Organizations Should Do
- Audit and harden remote access: enforce MFA on all VPN and remote management endpoints, and patch known-exploited vulnerabilities in edge appliances.
- Hunt for Akira indicators: review logs for Rclone, AnyDesk, and unauthorized RMM activity, and correlate against current Akira IOC feeds.
- Validate offline, immutable backups: confirm recoverability of critical systems and ensure backup credentials are segmented from production identity stores.
- Monitor for exposed credentials: track infostealer log markets and dark-web forums for credentials tied to your domains and key personnel.
- Prepare third-party notification workflows: factoring and financial-services firms should pre-stage breach notifications for clients and regulators under PIPEDA.
- Engage incident response and legal counsel before any communication with the threat actor or ransom broker.
Sources: Akira Ransomware Attack on Factors Western - DeXpose