Cyber Incident Victim: LG Electronics
Date:
Jun 2020
Location:
United States of America
Summary
A ransomware group published tens of gigabytes of internal data from LG and Xerox following unsuccessful extortion attempts, leaking proprietary information including source code for closed-source firmware of the former's devices such as phones and laptops. The attackers employed a dual extortion strategy, stealing sensitive files without deploying ransomware in LG's case and threatening public release unless paid, ultimately publishing the data after both firms refused demands. While LG's breach involved significant intellectual property theft, Xerox's incident appeared to compromise customer support operations and employee information, though no confirmed customer data was immediately identified in the released trove.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2020, the Maze ransomware gang breached LG's internal network, exfiltrating 50.2 GB of proprietary data including closed-source firmware source code for phones and laptops. Unlike their typical ransomware deployment strategy involving file encryption, the group opted to immediately pursue extortion by threatening to leak the stolen data. Maze created an entry for LG on their dedicated leak portal in late June 2020, publicly listing the company as a victim and initiating a countdown to data publication. Despite LG's initial acknowledgment of the incident in June—wherein their security team committed to investigating and reporting the intrusion to authorities—the company refused subsequent ransom demands. Following LG's non-compliance, Maze executed their threat by publishing the full dataset on August 3, 2020. Parallel attacks targeted Xerox, with Maze leaking 25.8 GB of data purportedly containing customer support information and employee records after similar extortion attempts failed. Both companies maintained minimal public engagement, with LG redirecting media inquiries between security and communications teams—the latter failing to respond due to bounced emails—while Xerox provided no official statements throughout the incident lifecycle.
The confirmed impact centered on LG's exposure of intellectual property through the public release of sensitive firmware source code, posing potential long-term competitive and security risks. Maze's operational pivot—bypassing file encryption to focus solely on data theft and extortion—marked a tactical shift observed in the LG compromise. Forensic analysis of leaked samples confirmed the authenticity of LG's proprietary technical data, though Xerox's data review remained inconclusive regarding customer information exposure at the time of reporting. Neither organization disclosed operational disruptions, financial losses, or specifics about compromised internal systems. LG's fragmented response—initially pledging investigation before deflecting inquiries—contrasted with Xerox's complete silence, leaving critical questions about intrusion vectors, data scope, and containment measures unanswered. The incident concluded with Maze achieving their secondary extortion objective through irreversible public data dissemination after both firms resisted ransom payments.