Cyber Incident Victim: Moncler S.p.A.
Date:
Dec 2021
Location:
Italy
Summary
An Italian luxury fashion company experienced a ransomware attack by the AlphV/BlackCat operation, resulting in stolen data including employee, supplier, consultant, business partner, and customer information. The attackers published the data after the victim refused to pay a $3 million ransom demand, citing organizational principles. Exfiltrated materials comprised earnings statements, customer-related spreadsheets, invoices, and business documents, though no payment card data was compromised as such information was not stored. The ransomware group attempted to monetize the stolen data by offering it for sale to other threat actors, specifically targeting affluent customer records. The incident caused temporary IT service disruptions, particularly affecting logistics and e-commerce operations, which were later restored. The company notified relevant stakeholders and data protection authorities while emphasizing that further dissemination of the stolen data constituted criminal activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Moncler ransomware attack occurred during the final week of December 2021, disrupting the Italian luxury fashion brand's IT services. The company initially characterized the incident as a temporary operational outage, publicly announcing service interruptions without disclosing the ransomware nature of the attack. Within ten days of the initial disruption, Moncler restored core logistical systems and prioritized delayed e-commerce shipments, focusing on reactivating critical business functions. The AlphV/BlackCat ransomware operation, identified as a sophisticated Ransomware-as-a-Service platform that emerged earlier that month, claimed responsibility for both encrypting systems and exfiltrating sensitive data. On January 18, 2022, the threat actors published stolen data on their dark web leak site, prompting Moncler to confirm the data breach publicly. The compromised information included employee and former employee records, supplier contracts, consultant agreements, business partner documentation, and customer details, though the company emphasized no payment card data was exposed due to its non-retention of such information.
Moncler explicitly refused ransom negotiations, stating payment demands contradicted the company's founding principles, which directly led to the attackers' data publication. The threat actors demanded $3 million to suppress the leak and subsequently advertised the sale of "rich customer" data to other cybercriminals. Forensic analysis of published samples revealed stolen documents containing earnings statements, customer information spreadsheets, invoices, and operational records. The company issued legal warnings against acquiring or disseminating the stolen data, emphasizing such actions constituted criminal offenses under applicable laws. Moncler notified affected stakeholders including employees, business partners, and regulatory authorities such as the Italian Data Protection Authority about the breach. The AlphV/BlackCat group's infrastructure analysis revealed advanced operational capabilities, marking Moncler as one of their earliest high-profile victims following the ransomware operation's December 2021 launch.