SONDA

SONDA is a Chilean information technology multinational corporation with operational footprints across multiple countries, as indicated by the international scope of data compromised in a 2023 security incident. The company's core business involves providing IT services and solutions, a positioning confirmed by its status as an IT multinational and the nature of its internal networks which were targeted. Its organizational structure includes a separation between client-facing services and internal administrative or operational networks, a segmentation the company explicitly stated following the incident to contain potential client impact. This architectural detail suggests a service delivery model where client environments are logically isolated from corporate systems, a common practice for IT service providers handling sensitive customer data. The firm's multinational status is further evidenced by the exfiltration of identity documents and internal records from its various international operations, confirming a distributed corporate presence beyond its Chilean headquarters. While specific service lines, revenue figures, or employee counts are not provided in the source material, its classification as an IT multinational and the sophistication of the attack response imply a significant scale within the regional and possibly global technology services sector. The company's decision to engage Mandiant, a prominent cybersecurity firm, for incident response underscores an acknowledgment of the attack's severity and a commitment to forensic analysis and remediation, aligning with standard practices for large corporations facing advanced threats.

In March 2023, SONDA was the victim of a cyberattack attributed to the Medusa ransomware group, which claimed responsibility and initiated a data extortion campaign. The threat actors successfully exfiltrated data from SONDA's systems, including internal corporate documents and personal identity cards originating from the company's operations in several countries. Evidence of the breach was published on Medusa's leak site, serving as proof of the compromise and applying pressure for ransom payment. Upon detection of malware within its environment, SONDA activated its incident response protocol, retaining Mandiant to assist with investigation, containment, and recovery efforts. A key detail in the company's public communication was the assertion that its client services networks were segmented from its internal corporate networks, a control measure intended to limit the breach's blast radius and protect client data and service continuity. Medusa subsequently issued a formal ransom demand to SONDA, complete with a payment deadline, threatening to release the stolen information if their demands were not met. This incident highlights the persistent targeting of large, multinational IT service providers by ransomware groups seeking high-value data for extortion, and it demonstrates SONDA's experience with a sophisticated, financially motivated cyberattack that resulted in the confirmed theft of sensitive internal and personal data across its international entities.