Cyber Incident Victim: Thomas J. Schandy
Date:
Feb 2023
Location:
Uruguay
Summary
The Uruguayan firm Thomas J. Schandy, specializing in maritime incident resolution as Lloyd's agents, was compromised by the AvosLocker ransomware group, which claimed exfiltration of approximately 100 GB of data including employee curriculum vitae and work agreements. The attackers published samples as proof on their leak site, though the targeted organization did not publicly acknowledge the incident or respond to verification attempts. This breach exposed sensitive operational and personnel information, reflecting broader regional targeting of entities by ransomware groups like LockBit3.0, which simultaneously attacked Colombian municipal systems and Brazilian corporate data involving emergency service records, financial documents, and personal employee details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 5, 2023, the ransomware group AvosLocker listed the Uruguayan firm Thomas J. Schandy on its data leak site, claiming possession of approximately 100 GB of stolen data. The firm, which operates as maritime claims adjusters and liquidators with a focus on Uruguay's national ports, was described by AvosLocker as compromised, though the exact date of intrusion remains unspecified. As proof of the breach, AvosLocker published a sample of files including employee curriculum vitae and work agreements. Thomas J. Schandy serves as Lloyd’s agents and P&I correspondents, handling marine insurance and casualty investigations, but its public-facing website contained no acknowledgment of a security incident at the time of reporting. DataBreaches.net attempted to contact the firm via email on two occasions to verify the attack but received no response. The absence of confirmed details regarding initial detection methods, containment efforts, or data encryption leaves the intrusion timeline and operational impact unclear beyond the attackers’ claims of data exfiltration.
The incident’s primary confirmed consequence was the exposure of sensitive employee and operational documents on AvosLocker’s leak site, though the full scope of compromised data remains unverified by independent sources or the victim organization. No further updates regarding data recovery, ransom demands, or system restoration were disclosed by Thomas J. Schandy as of the article’s publication date. Similarly, no evidence emerged of regulatory notifications, client communications, or public statements by the firm addressing the breach. The lack of transparency contrasted with proactive breach disclosures by other organizations cited in the same report, such as Medellín’s municipal government. AvosLocker’s publication of personnel files indicated potential risks to employee privacy, but downstream impacts—including misuse of data or disruption to port-related operations—were not substantiated by available evidence. The incident concluded without resolution in the public domain, as neither the firm nor the threat actors provided subsequent updates confirming data deletion, payment, or remediation.