China-based video surveillance manufacturer Zhejiang Uniview Technologies Co Ltd has been listed on The Gentlemen ransomware group's leak site, with the operators claiming to hold roughly 2,992,978 files totaling 4.3 TB of exfiltrated data. The listing appeared on April 21, 2026, and threatens publication of the allegedly stolen data within 9 to 10 days. As of reporting, no public breach notice was visible on Uniview's website and no file inventory has been confirmed.

What Happened

The Gentlemen ransomware group added Uniview Technologies to its public leak site on April 21, 2026, asserting that internal data has been exfiltrated and setting a short countdown to release. The volume cited, nearly three million files at 4.3 TB, is consistent with broad access to shared file systems rather than a narrow, targeted theft. Uniview is the third-largest video surveillance manufacturer in China and the fourth-largest globally, operating across 145 countries and serving government agencies, critical infrastructure operators, commercial enterprises, and security integrators. The countdown is the only public signal from the actor at this stage, and Uniview has not publicly acknowledged an incident.

What Was Taken

The leak site references approximately 2,992,978 files totaling 4.3 TB. The actor has not published a confirmed inventory, but data sets of that scale typically traverse multiple internal systems, including:

• Shared drives and corporate file repositories
• Email archives and mailbox exports
• Engineering, firmware, and product development repositories
• Financial records and procurement documentation
• HR and personnel files
• Customer, partner, and integrator records spanning Uniview's 145-country footprint

Given Uniview's customer base of government bodies and critical infrastructure operators, downstream exposure could extend to deployment diagrams, integration credentials, support tickets, and configuration data tied to surveillance estates outside Uniview itself.

Why It Matters

A compromise at a top-tier CCTV and video surveillance vendor carries blast radius well beyond the vendor's own perimeter. Surveillance manufacturers hold sensitive technical detail about deployed products, including firmware, default configurations, vulnerability information disclosed by customers, and in many cases remote management or update infrastructure. Customer-side data, such as device serial numbers, deployment locations, network topology, and integrator contacts, can give a downstream actor a head start on targeting protected sites. For government and critical infrastructure operators that rely on Uniview hardware, the most immediate concern is whether any data stolen from Uniview can be repurposed for follow-on intrusions against the surveillance estate they operate.

The Attack Technique

The Gentlemen has not publicly described the initial access vector or tooling used in the Uniview intrusion, and Uniview has not released technical detail. The Gentlemen is a relatively young ransomware brand operating a double-extortion model, with public leak-site activity targeting manufacturing, technology, and services organizations. In comparable double-extortion intrusions against large multinational manufacturers, common vectors include exploitation of edge appliances and VPN gateways, exposed remote access services, abuse of valid accounts obtained through infostealer logs, and lateral movement through flat enterprise networks to reach shared storage and backup systems. The 4.3 TB volume strongly implies either prolonged dwell time with staged exfiltration or access to a centralized, high-volume data store.

What Organizations Should Do

1. Inventory Uniview hardware, firmware versions, and management software in your environment, and isolate any device management interfaces from the public internet.
2. Rotate credentials, API keys, and certificates associated with Uniview device management, integrator portals, and any shared support accounts.
3. Hunt for outbound connections from camera and NVR management subnets to unfamiliar destinations, and review VPN and remote-support session logs for the past 90 days.
4. Treat any leaked customer-side data, including deployment diagrams, serial numbers, and support correspondence, as a targeting aid for follow-on intrusion attempts and prepare detections accordingly.
5. Monitor The Gentlemen leak site for the actual file release and update exposure assessments once the data is published or sampled.
6. Brief procurement, legal, and compliance teams on potential third-party notification obligations if customer data tied to your organization is referenced in the release.

Sources: Uniview Technologies Data Breach Claimed by The Gentlemen Ransomware Group