Qilin Claims Danone Ransomware Attack, Alleges Theft of 221 GB of Internal Data

Qilin has listed Danone on its leak site, alleging it stole 221 GB of internal files including financial reports, customer records, and business documents.
Screenshot of the Qilin ransomware group’s leak site listing Danone (International Delight), claiming the publication of 221 GB of alleged stolen data across 91,558 files, with blurred document previews.
Qilin claims to have stolen 221 GB of data from Danone and published alleged proof files on its leak site. The claims have not been independently verified, and Danone had not issued any public statement at time of publication.

The Qilin ransomware group has claimed responsibility for an alleged cyberattack against global food and beverage giant Danone, claiming to have stolen 221 GB of internal company data before listing the organization on its data leak site.

The claim has not been independently verified. Danone had not issued any public statement at time of publication.

Alleged data theft targets global food company

Qilin claims it exfiltrated approximately 221 GB of data consisting of 91,558 files from Danone’s internal environment. The ransomware operation published a small collection of purported evidence intended to support its claims.

Based on the material allegedly released, the dataset appears to include financial reports, customer account information, customer issue reports, non-disclosure and confidentiality agreements, and monthly sales documents dating between 2023 and 2025.

The group did not specify how it allegedly gained access to Danone’s network, whether systems were encrypted, or whether negotiations with the company are ongoing.

Major international brands potentially affected

Headquartered in Paris, Danone is one of the world’s largest food and beverage companies, operating in more than 120 countries with over 180 production facilities across 55 countries. Its portfolio includes globally recognized brands such as Evian, Activia, Silk, International Delight, Volvic, Actimel, AQUA, and Danone yogurt.

The company reported group sales of €27.3 billion during 2025, making it one of the largest consumer goods manufacturers targeted by ransomware groups this year.

Evidence remains limited

Although Qilin published several sample documents, the full scope of any alleged compromise remains unclear. The purported evidence appears to include internal financial summaries, customer-related documentation, sales reports, and contractual agreements.

At this stage there is no independent confirmation that the files originated from Danone, nor has the company confirmed that customer, employee, or corporate information was accessed.

Qilin continues targeting large enterprises

First observed in 2022, Qilin has become one of the most active ransomware operations targeting large organizations across manufacturing, healthcare, financial services, retail, transportation, and government sectors. The group has continued adding new alleged victims throughout 2026, with Danone becoming one of its latest claims.

The alleged attack also continues a recent trend of ransomware groups targeting major food and beverage manufacturers. Earlier this week, BreachNews reported on the confirmed ransomware attack that disrupted Fairlife’s U.S. production, highlighting the sector’s continued exposure to cyber extortion.

Danone had not issued any public statement at time of publication.

Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map