TL;DR: Qilin publicly claimed a breach of Herth+Buss on April 13, 2026, alleging exfiltration of banking records, contractual data, passport details, and travel information, which would amplify fraud, identity theft, and phishing risk across a supply chain environment, according to Gurucul. The incident shows how ransomware extortion now monetises identity data as much as operational disruption.
NHIMG editorial — based on content published by Gurucul: Threat Intelligence Herth+Buss Data Leak Claimed by Qilin Ransomware: Exposure of Financial and Identity Data
By the numbers:
- On April 13, 2026, the ransomware group Qilin publicly claimed responsibility for a cyberattack against Herth+Buss, a Germany-based automotive supplier.
Questions worth separating out
Q: What breaks when ransomware exposes both identity and financial records?
A: The breach stops being only a recovery event and becomes a trust event.
Q: Why do exposed passport and bank details increase downstream fraud risk?
A: Because those records help attackers pass as legitimate employees, suppliers, or customers.
Q: What should security teams prioritise after a claimed data exfiltration incident?
A: They should identify which record types left the environment, which workflows depend on those records, and which approvals can now be spoofed.
Practitioner guidance
- Separate financial, identity, and partner data zones Restrict access so records containing bank details, passport numbers, signatures, and contracts do not sit behind the same privileged path.
- Validate exposure of identity evidence, not just systems Assume leaked records may be reused in phishing, payment redirection, and impersonation campaigns.
- Harden payment and vendor-change verification Require out-of-band confirmation for banking changes, contract amendments, and contact updates when sensitive identity data may have been exposed.
What's in the full article
Gurucul's full blog covers the incident details this post intentionally leaves at the analytical level:
- The article's breakdown of the alleged data categories, including bank details, contracts, identity documents, and travel records
- The threat actor context for Qilin's double-extortion model and how it uses data publication to increase pressure
- The article's risk commentary on financial fraud, identity theft, and targeted phishing opportunities arising from the claim
- The recommended response areas, including monitoring, DLP, MFA, backups, and third-party risk management
👉 Read Gurucul's analysis of the Herth+Buss Qilin data leak claim →
Herth+Buss and Qilin: what the data leak claim means for IAM teams?
Explore further
Double-extortion has become an identity exposure problem, not just a ransomware problem. When attackers steal passport data, bank details, and partner records, the value of the intrusion shifts from encryption leverage to trust reuse. That means the impact outlives the original endpoint or server compromise and can continue through fraud, impersonation, and relationship abuse. Practitioners should treat sensitive identity data as an extortion multiplier, not a by-product.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to the same research.
A question worth separating out:
Q: Who is accountable when ransomware claims expose partner and identity data?
A: Accountability usually spans incident response, data owners, IAM, and the business teams that approve sensitive workflows. The practical question is who owns exposure validation, who remediates access paths, and who changes verification for the affected processes. In supply chains, that responsibility often extends to third-party relationships as well.
👉 Read our full editorial: Qilin's Herth+Buss data leak claim exposes identity risk