Skip to content

Logistics Conglomerate Grupo ATC Data Offered for Sale After Ransom Refused

Breach Report Mexico flagUnited States flagMexico & USA Logistics Data for Sale

Logistics Conglomerate Grupo ATC Data Offered for Sale After Ransom Refused

A threat actor using the alias Straightonumberone is selling what they describe as data stolen from Grupo ATC, a Mexican logistics conglomerate (comprising TLE, TLEA, and PHES), for $1,000 after a ransom negotiation reportedly failed. The listing claims 23 databases, over 340GB, and more than 2 billion rows, and says it includes employee PII (names, emails, phones, RFC, bank accounts, and CLABE), credentials and tokens (OAuth2, JWT, SFTP and API credentials, cleartext passwords, and password hashes), intercepted business emails, GPS and freight-routing data, and internal infrastructure details. The seller names major automotive and industrial partners (including Ford, Toyota, Tesla, General Motors, and Stellantis) whose data is said to be in the set. The claim is unverified.

Data340+ GB
Price$1,000
CountryMexico flagUnited States flagMX / US
ActorStraightonumberone

Post details

TargetGrupo ATC (TLE, TLEA, PHES)
CountryMexico flagUnited States flagMexico & USA
SectorLogistics / Transportation
ListingFor sale ($1,000)
Scale23 DBs, 340+ GB, 2B+ rows
OriginRansom refused, files encrypted
Observed
ActorStraightonumberone

!Allegedly included

  • 23 databases, 340+ GB
  • Employee PII (RFC, bank, CLABE)
  • Credentials & tokens (OAuth2/JWT)
  • Cleartext passwords & hashes
  • SFTP / API credentials & keys
  • Intercepted business emails
  • GPS & freight routing data
  • Internal infrastructure details

Screenshot(s)

Potential impact

If genuine, the exposure of credentials and tokens (OAuth2, JWT, SFTP, and API keys) alongside cleartext passwords would allow direct access to systems, while employee PII including Mexican RFC identifiers, bank account numbers, and CLABE enables financial fraud and identity theft. Because Grupo ATC is a logistics provider to major automotive and industrial firms, the seller frames the data as useful for spear-phishing and gaining initial access to those partners, giving it a supply-chain dimension. The seller says the files were encrypted and a ransom negotiation failed before the data was leaked. The claim is not verified, and no data or contact details are reproduced here.

iStatus

Unverified

This is a sale listing; the seller says a ransom negotiation failed and the encrypted files are now being leaked and offered for sale, with samples gated behind the forum. No samples, credentials, or the seller's contact channels are reproduced here. The claim is unverified and Grupo ATC has not publicly addressed it.

Want the non-redacted screenshots? Paid subscribers get all of the claim details and unredacted screenshots. Check out the threat feed or ransomware feed (whichever applies to this post), then after subscribing, search there for this alert to view the unredacted version. View pricing →

DARK WEB INFORMER - THREAT INTELLIGENCE

Latest