Company Downplays Incident, Says Stolen Data is Primarily Synthetic

Dell has acknowledged that a rebranded extortion gang known as “World Leaks” breached one of its product demonstration platforms earlier this month and is now trying to extort the company into paying a ransom. According to sources, the threat actor gained access to Dell’s Customer Solution Centers platform, which is used to demonstrate Dell products and solutions to customers.

In a statement to BleepingComputer, Dell confirmed that the threat actor had breached its Solution Center, an environment designed to demonstrate its products and test proofs-of-concept for Dell’s commercial customers. However, the company downplayed the incident, stating that the data obtained by the threat actor is primarily synthetic, publicly available, or Dell systems/test data. The company also emphasized that the Solution Center is intentionally separated from customer and partner systems, as well as Dell’s networks, and is not used in the provision of services to Dell customers.

While World Leaks likely believe they have obtained valuable data, including sample medical data and financial information, this data is reportedly entirely fabricated. BleepingComputer has learned that the only legitimate data stolen in the attack is a very outdated contact list. The Dell Customer Solution Centers are partitioned from the rest of Dell’s customer-facing network and internal systems, with customers shown multiple warnings not to upload private data to the labs.

When asked about the breach, Dell refused to share details as the incident is still under investigation. The company also declined to comment on the ransom demand. “A threat actor recently gained access to our Solution Center, an environment designed to demonstrate our products and test proofs-of-concept for Dell’s commercial customers,” Dell told BleepingComputer. “It is intentionally separated from customer and partner systems, as well as Dell’s networks and is not used in the provision of services to Dell customers.”

World Leaks is a rebrand of the Hunters International ransomware, which shifted its focus away from file encryption toward pure data extortion. The threat actors have claimed over 280 attacks against organizations worldwide since launching in late 2023. In January 2025, Hunters International rebranded as World Leaks, citing concerns that ransomware is no longer profitable and risky.

Since its launch, World Leaks has published data from 49 organizations on its data leak site, but Dell has not been listed. The threat actors have been linked to the recent exploitation of end-of-life SonicWall SMA 100 devices, where they installed a custom OVERSTEP rootkit. Yutaka Sejiyama, a threat researcher at Macnica, noted that 10 out of the 46 companies posted on World Leaks’ data leak site had been using an SMA 100.

The World Leaks group has also been linked to other high-profile incidents, including the recent ransomware attack on Louis Vuitton, which resulted in the closure of several stores. The group has also been linked to the data breach of Chinese alcohol retailer WineLab, which resulted in the theft of sensitive customer data. The group’s tactics have raised concerns among cybersecurity experts, who warn that the group’s focus on data extortion could lead to more targeted and sophisticated attacks in the future.

In response to the breach, Dell has taken steps to enhance the security of its Customer Solution Centers platform, including implementing additional security measures and conducting a thorough investigation into the incident. However, the company has not provided further details on the steps it is taking to address the breach.

As the incident continues to unfold, cybersecurity experts are warning organizations to be vigilant and take steps to protect themselves against similar attacks. “The World Leaks group is a sophisticated threat actor that is using advanced tactics to extort organizations,” said Yutaka Sejiyama. “Organizations need to take steps to protect themselves against these types of attacks, including implementing robust security measures and conducting regular security audits.”