Cyber Incident Victim: Globant S.A.
Date:
Mar 2022
Location:
Luxembourg
Summary
A cybersecurity breach at IT consultancy firm Globant was confirmed following the Lapsus$ extortion group leaking approximately 70GB of stolen data, including administrator credentials and proprietary source code for multiple high-profile clients such as Apple, Facebook, DHL, and Abbott. The compromised data encompassed source code repositories, project documentation, private keys, SSL certificates, API keys, and over 150 SQL database files, with third-party analysts verifying the leak's legitimacy and significant impact. While the company asserted the intrusion was limited to specific client projects and did not affect broader infrastructure, Lapsus$—a group linked to teenage hackers motivated by notoriety rather than financial gain—faced international law enforcement scrutiny, including arrests in the U.K. and FBI investigations into their broader targeting of major technology firms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 30, 2022, IT and software consultancy firm Globant confirmed a breach by the Lapsus$ data extortion group following the leak of approximately 70GB of stolen data. The threat actors publicly released an archive containing source code, administrator credentials, and project-related documentation, which they described as “some customers source code.” Metadata from a leaked screenshot of Globant’s archived directories indicated the data was modified on March 29, 2022, suggesting the theft occurred around that date. The screenshot displayed folders associated with prominent customers, including Abbott, Apple Health App, C-SPAN, Fortune, Facebook, DHL, and Arcserve. Lapsus$ subsequently published credentials granting administrative access to Globant’s development and collaboration platforms, such as Jira, Confluence, GitHub, and Crucible. A torrent file containing the full 70GB cache was also shared by the group. According to threat intelligence firm SOS Intelligence, the leaked data included customer information, code repositories with private keys (including SSL certificates, API keys, and server certificates), and over 150 SQL database files for customer applications. One repository pertained to Bluecap, a financial-sector consultancy app Globant acquired in late 2020. SOS Intelligence verified the legitimacy of the leak through cross-referencing samples with live systems, confirming its severity for Globant and affected clients. Globant stated its investigation found no evidence of further infrastructure compromise beyond the disclosed data exposure.
The incident underscored Lapsus$’s pattern of targeting high-profile technology entities, following prior attacks on Microsoft, Nvidia, Samsung, Okta, and Ubisoft. The group, believed to consist primarily of teenagers motivated by notoriety rather than financial gain, operated by exfiltrating and leaking sensitive data to amplify their reputation. Law enforcement agencies, including the UK police and the FBI, had already been investigating Lapsus$ prior to the Globant breach, resulting in arrests of suspected members in the UK. The FBI sought public assistance to identify individuals involved in compromising US-based companies. Lapsus$’s Telegram communications suggested a geographically dispersed network of affiliates, with members conversing in English, Russian, Turkish, German, and Portuguese. Globant’s public response emphasized the limited scope of impacted client data but acknowledged the exposure of source code and project documentation. The breach highlighted significant risks to Globant’s customers due to the exposure of cryptographic keys and database files, which could facilitate further attacks. No additional containment measures or technical mitigations by Globant were detailed in the available report.