Dutch Paint Giant AkzoNobel Hit by Anubis Ransomware

AkzoNobel, the Dutch multinational behind paint brands including Dulux and Sikkens, confirmed hackers breached one of its U.S. facilities after the Anubis ransomware gang published stolen data. The attackers claim to have exfiltrated 170GB of files, including passport scans, confidential client agreements, and technical documents.

The company told BleepingComputer the incident was "limited to the respective site and was already contained," with "limited" impact. AkzoNobel is notifying affected parties and working with authorities, but hasn't disclosed whether any ransom demand was made or paid.

What Data Was Stolen

According to listings on the Anubis leak site, the stolen dataset includes:

• Confidential client agreements and contracts
• Employee contact information and personnel records
• Passport scans and identity documents
• Private internal emails
• Technical documentation

The presence of passport scans is particularly concerning. Identity documents enable fraud, identity theft, and potential targeting of individuals for social engineering attacks. For employees whose passports were exposed, the remediation process is expensive and time-consuming.

AkzoNobel operates in over 150 countries with approximately 33,000 employees. The company produces paints, coatings, and specialty chemicals for construction, automotive, aerospace, and marine industries. Client agreements could reveal pricing, formulations, or supply chain details valuable to competitors.

Who Is Anubis

Anubis is a ransomware-as-a-service (RaaS) operation that launched in December 2024, offering affiliates 80% of collected ransoms. The group ramped up activity after posting an affiliate recruitment thread on the RAMP forum in February 2025.

The operation distinguished itself through aggressive tactics. In June 2025, Anubis added a data wiper capability to its arsenal—a tool that destroys victim files to make recovery impossible if ransom demands aren't met. This represents an escalation beyond traditional ransomware, which typically preserves files to enable restoration after payment.

Anubis has targeted organizations across manufacturing, healthcare, and professional services sectors. The Ingram Micro breach earlier this year demonstrated how ransomware groups are increasingly focusing on supply chain companies that touch multiple downstream organizations.

Manufacturing Under Pressure

Manufacturing companies face elevated ransomware risk for several reasons. Production environments often rely on legacy systems with poor security controls. Operational technology (OT) networks were designed for reliability, not defense against modern threats. And production downtime creates immediate financial pressure to pay ransoms quickly.

AkzoNobel's confirmation that the breach was "contained" to a single U.S. site suggests network segmentation may have limited the attack's spread. That's a meaningful security win—many manufacturers struggle with flat networks where initial access enables lateral movement across global operations.

Still, the data theft succeeded. Ransomware groups have learned that even if encryption is prevented, stolen data provides leverage through the threat of publication. This double extortion model means organizations can't simply restore from backups and move on; they must address the data exposure regardless of whether operational systems were impacted.

For context on how ransomware attacks have evolved from simple encryption schemes to sophisticated data theft operations, our guide covers the current threat landscape.

Industry Response

The chemical and coatings industry has seen multiple breaches in recent years, though major multinationals typically avoid public disclosure unless forced by leak site publications or regulatory requirements.

AkzoNobel's relatively transparent response—confirming the breach and committing to notify affected parties—contrasts with organizations that attempt to minimize or deny incidents until evidence becomes undeniable. The Dartmouth Clop breach showed how delayed disclosure compounds reputational damage when the full scope eventually emerges.

Whether AkzoNobel engaged with the attackers remains unclear. The company's statement that the incident has been "contained" doesn't address whether negotiations occurred or if any payment was made. Ransomware payments remain controversial—they fund criminal operations but sometimes represent the least-bad option for data recovery or preventing further publication.

What Affected Individuals Should Do

If you're an AkzoNobel employee, contractor, or client who may have data in the compromised U.S. systems:

1. Monitor for official notification from AkzoNobel with specific details about what was exposed
2. Place fraud alerts on credit reports if passport or identity information may be included
3. Watch for phishing attempts using information from the breach to craft convincing social engineering
4. Consider passport replacement if scans were definitely exposed—compromised documents enable identity fraud
5. Enable MFA everywhere as stolen credentials may be used in credential stuffing attacks

Frequently Asked Questions

Which AkzoNobel brands are affected?

The company hasn't specified which business unit was compromised. AkzoNobel operates brands including Dulux, Sikkens, International, and Interpon across paints, coatings, and specialty chemicals segments.

Is my personal data at risk if I've purchased AkzoNobel products?

Likely not. The breach appears limited to a single U.S. facility, and consumer purchase data is typically not stored at manufacturing sites. The exposed data focuses on business relationships, employees, and operational documents.

Should I be concerned about product safety or authenticity?

No evidence suggests attackers accessed formulation data or production systems that could impact product integrity. AkzoNobel's statement that the breach was contained suggests manufacturing operations weren't affected.