Ransomware victim disclosure

Cheval Blanc Randheli

Claimed by aurora · listed 21 days ago

21d

Age

since listed · data leaked

Status timeline

Listed
Apr 29, 2026
Data leaked

At a glance

Group: aurora
Status: Data leaked
Country: MV
Sector: Hospitality and Tourism
Listed on leak site: Apr 29, 2026

About the victim

AI dossier — public-source company profile

Cheval Blanc Randheli is an ultra-luxury private island resort operated by Cheval Blanc (an LVMH group brand) on Randheli Island in the Noonu Atoll, Maldives. The property caters to high-net-worth and VIP guests, including royalty and government officials, and operates under a management contract between LVMH and the property owner. It is one of a small number of Cheval Blanc branded properties worldwide.

Industry: Ultra-Luxury Resort & Hospitality
Address: Randheli Island, Noonu Atoll, Maldives
Employees: 1000-2000
Founded: 2013

Attack summary

Severity: critical — Mass exfiltration of regulated PII at extraordinary scale and sensitivity: 75,855 passport scans (full biographic pages including MRZ and signatures) for tens of thousands of individuals including named royalty and government officials; full home addresses; partial financial data; non-rotatable biometric templates; plaintext credentials granting ongoing infrastructure access; and confidential LVMH corporate and financial documents. This combines large-scale identity data, government/VIP exposure

The Aurora ransomware group claims to have exfiltrated a large volume of highly sensitive data from Cheval Blanc Randheli, including 75,855 passport scan images of an estimated 20,000–30,000 unique guests spanning a decade, full PMS guest profiles for 30,000–50,000 individuals, employee records including biometric data, plaintext credentials, BitLocker recovery keys, biometric templates, and confidential LVMH corporate documents. The data is described as published.

critical

Data the group says was taken

AI dossier — extracted from the leak post

Passport scan images (75,855 files, ~20,000–30,000 unique guests)
Guest PMS profiles (30,000–50,000 records incl. home addresses, partial card data)
VIP guest classification and stay histories
Employee salary records (2017–2026)
Employee medical insurance claims
Employee biometric enrollment data (fingerprint/facial, Gladis system)
Employee ID photos (~200)
Employee vacation/leave records
Key Management Personnel compensation details
BitLocker full-disk encryption recovery key
Plaintext system passwords (Passwords.docx)
Extranet and vendor credentials
3CX VoIP SIP credentials and call routing configuration
LVMH–property owner management contract
Board investment recommendation (Velidhoo property)
10 years of budgets and revenue forecasts
Audited subsidiary financial statements (I&T / Sitax)
LVMH White Book operational standards manual
Building Management System data (HVAC, power, desalination, lighting)

What the group claims

[lvmh] Guest Passport Scans — 75,855 Files, 10 Years The single largest data category: 75,855 passport scan images spanning January 2015 through October 2024, organised in daily folders within monthly and yearly directories. These represent an estimated 20,000–30,000 unique guests. Each scan contains the full passport bio page: photo, full name, date of birth, nationality, passport number, machine-readable zone (MRZ), and signature. Among the exposed passports: Qatar Royal Family members — 9 passport scans including Muhammad Mesned S M Al-Misned, Abdulla, Khalifa, Lolwa, Nasser, Alanoud, Bessy, and Mesned UAE VIP and government officials — including H.E. Ahmed Saif Ali Aldhabea Aldarmaki, H.E. Matar Suhail Ali Alyabhouni Aldhaheri, and members of an April 2024 private buyout group who arrived on private jets (tail numbers A6AUH, A6DAH) LVMH head-office executives — 7 passport/profile photos including named senior staff from Paris Guest PMS Data — 30,000–50,000 Profiles Opera PMS exports containing full names, home addresses (street-level), nationalities, VIP classification levels (A/B/C/G), partial credit card data (last-4 digits + expiry + card type), deposit amounts, booking confirmation numbers, stay histories, travel agent details, flight numbers, and guest preferences. Employee Records — 1,000–2,000 Individuals Ten years of salary records (2017–2026), medical insurance claims organised by department, ~200 ECARD ID photos, vacation/leave records, Key Management Personnel (KMP) compensation details, and biometric enrollment data from the Gladis facility-access system. Credentials and Infrastructure BitLocker recovery key — full disk-encryption key for the Windows server volume Passwords.docx — plaintext system password store covering revenue, PMS, and operational systems Extranet passwords — booking-portal and vendor credentials 3CX VoIP backup — SIP credentials, extension configurations, call routing rules Biometric templates (Gladis enrollment) — non-rotateable fingerprint/facial data Corporate-Sensitive Documents Management Contract of Cheval Blanc Randheli — the LVMH–property owner agreement containing fee structures, performance benchmarks, and brand license terms Board investment recommendation for Velidhoo — a potential new property with capital allocation and return projections 10 years of budgets and revenue forecasts Audited subsidiary financial statements (I&T / Sitax entities) White Book — the property's operational standards manual (proprietary LVMH brand IP) Building Management System data — HVAC, power, desalination, and lighting control files for island infrastructure

Sources

Source

Indexed 21 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Disclosure context

About aurora

Timeline of this disclosure

Other recent disclosures by aurora

Sector and geography