Brinztech Alert: Alleged Database of Agfa is Leaked (354 GB)

Dark Web News Analysis

A threat actor identified as the Everest ransomware group has listed Agfa-Gevaert Group on their dark web leak site, claiming to have exfiltrated 354 GB of internal company data. The data is reportedly being offered for download.

Brinztech Analysis:

• The Conflict: This incident presents a classic conflicting narrative between attacker and victim.
  • Everest’s Claim (Nov 11, 2025): The group alleges a massive 354 GB breach of “internal company data,” consistent with their “double extortion” tactic of stealing data to demand a ransom.
  • Agfa’s Response (Nov 13, 2025): Agfa officially confirmed they are investigating an “alleged cybersecurity incident” involving unauthorized access to a single file server. However, they stated that the screenshots provided by the attackers indicate the data is “older, non-sensitive data that are no longer related to Agfa” and that their core systems remain fully operational.
• Context: Everest has been extremely aggressive in November 2025, also claiming breaches of Under Armour (343 GB) and Petrobras. The “old data” defense is a common initial corporate response, but even legacy data can contain valid employee PII, historical contracts, or intellectual property.

Key Cybersecurity Insights

This incident highlights critical aspects of ransomware defense and crisis communication:

• The “Old Data” Risk: Even if Agfa is correct that the data is “older,” a 354 GB dump is significant. Legacy data often contains unexpired NDAs, employee records, or historical source code that can be used for social engineering or finding vulnerabilities in legacy systems that haven’t been updated.
• Healthcare IT Sensitivity: Agfa is a major player in Healthcare IT and digital imaging. Any breach claim against a healthcare provider triggers immediate scrutiny regarding PHI (Protected Health Information). While Agfa denies critical data loss, their clients (hospitals) must verify this independently to ensure no patient data was mixed in with the “old” files.
• Supply Chain Trust: Agfa’s prompt press release was a necessary move to maintain trust. However, the public availability of 354 GB of data will allow security researchers and bad actors to verify Agfa’s “non-sensitive” claim rapidly. If sensitive data is found, the reputational damage will be compounded by the initial denial.

Mitigation Strategies

In response to this claim, Agfa and its partners must take immediate action:

• Independent Data Verification: Agfa’s clients should not rely solely on the press release. They should request a specific confirmation that their historical data was not on the compromised file server.
• Threat Hunting (Lateral Movement): Agfa must ensure the “single file server” was truly isolated. Ransomware actors like Everest often use compromised servers as staging grounds to attack the wider network.
• Legacy Data Governance: This incident underscores the risk of data hoarding. Storing 354 GB of “older, non-sensitive” data on a live, accessible server creates an unnecessary liability. Organizations should implement automated archiving and deletion policies for legacy data.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com