Spanish telecom giant Telefónica is facing new scrutiny after a hacker associated with the Hellcat ransomware group published a 5GB sample of data allegedly stolen in a recent breach. The leak, which follows a previous compromise of Telefónica’s internal Jira server in January, raises serious concerns about the company’s internal security posture and breach response strategy.
Alleged Breach on May 30 Sparks Data Leak
The threat actor, operating under the alias “Rey”, claims to have breached Telefónica on May 30, gaining 12 hours of uninterrupted access to internal systems before detection. During that window, Rey claims to have exfiltrated over 106.3GB of sensitive data, including:
- Internal communications (emails, tickets)
- Employee and customer data
- Purchase orders
- System logs
A 2.6GB compressed archive, released by Rey as proof, expands to 5GB of files—over 20,000 individual documents—and allegedly includes invoices and employee contact details across Spain, Germany, Peru, Argentina, Chile, and other countries.
Telefónica Yet to Confirm or Deny Breach
Despite multiple attempts by BleepingComputer to reach out to Telefónica and several of its senior executives, the company has yet to acknowledge the breach. A response from a Telefónica O2 employee downplayed the incident, calling it an extortion attempt using outdated data.
However, Rey continues to insist the breach is recent and tied to a Jira misconfiguration that was not addressed after the January compromise. To pressurize Telefónica, Rey stated:
“Since Telefonica has been denying a recent 106 GB breach containing data from its internal infrastructure, I am releasing 5 GB here as proof. Soon, I will publish the full file tree, and over the next few weeks, if Telefonica does not comply, the entire archive will be released. ;)”
Leaked Data Raises Validity Concerns
In reviewing the leaked files, the most recent documents dated back to 2021, which supports the company’s assertion that the material may be outdated. However, BleepingComputer also verified that some of the leaked employee email addresses are still active, indicating that at least some of the data may be current.
The data was initially shared via PixelDrain, but the platform quickly removed it for legal reasons. It was later re-uploaded to Kotizada, which Google Chrome now flags as unsafe for download.
Hellcat Ransomware Group’s Growing Track Record
Hellcat ransomware, and Rey specifically, have a known focus on exploiting Jira server misconfigurations. The group has claimed recent intrusions into well-known enterprises, including:
- Jaguar Land Rover
- Ascom
- Orange Group
- Schneider Electric
- Affinitiv
The same tactics appear to have been reused in this alleged Telefónica breach. The January attack also involved internal Jira services, which, according to Rey, were not adequately secured before the most recent incident.
With Telefónica yet to issue a formal response, the legitimacy of the alleged 106GB breach remains uncertain. However, the ongoing leaks and the threat actor’s persistence may pressure the company into taking a public stance.
