Cyber Incident Victim: Capital Economics
Date:
Jan 2021
Location:
United Kingdom
Summary
A major data breach exposed over 500,000 records from an economic research firm, initially discovered on a Russian-speaking cybercrime forum during dark web monitoring. The leaked information included corporate email addresses, password hashes, and physical addresses, posing risks for targeted malicious activities. Subsequent analysis revealed the same database had been previously leaked on an English-language forum, later resold, and ultimately released freely with exaggerated claims emphasizing C-level executive data to increase its perceived value—though most records did not pertain to high-ranking personnel. Multiple cybersecurity firms confirmed the repeated circulation of identical compromised data across different underground platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2021, a database containing over 500,000 records from Capital Economics, a prominent independent economic research firm, was leaked on an English-speaking cybercrime forum. The leak included sensitive information such as corporate email addresses, password hashes, physical addresses, and other personal details. Cybersecurity firm Cyble identified the exposed data during routine dark web monitoring, noting its potential to facilitate targeted attacks against affected individuals. The leaked records were initially marketed as containing exclusively C-level executive information, though subsequent analysis revealed this characterization overstated the database’s composition. Capital Economics, known for providing macroeconomic forecasts and consultancy services, had its client and employee data compromised in the incident, though the exact method of initial network intrusion remained unspecified in available reports.
The same database reappeared multiple times following the initial leak. Shortly after the January 2021 forum posting, an actor attempted to sell the dataset on another platform, falsely advertising it as a finance company SQL database with 500,000 records. Within hours, the actor released the entire dataset publicly at no cost, this time on a Russian-speaking forum, while again emphasizing its purported concentration of C-level executive records. KELA, a threat intelligence firm, confirmed all instances involved identical data and clarified that only a minority of the 500,000 records pertained to executives. Researchers attributed the “C-level” branding to an attempt by threat actors to increase the perceived value of the leak. Cyble alerted its clients about the risks posed by the exposure of corporate email addresses, which could enable phishing campaigns, credential stuffing attacks, and other malicious activities. No public statements from Capital Economics regarding containment measures or system remediation were documented in the analyzed sources.