Ransomware victim disclosure
← All victimsNorthWest Handling Systems
Claimed by AUR0RA · listed 18 hours ago
Status timeline
- Listed
Jun 6, 2026
- Data leaked
At a glance
About the victim
AI dossier — public-source company profileNorthWest Handling Systems is a 55-year-old forklift and warehouse equipment company headquartered in Renton, Washington, with regional branches across Washington, Oregon, and Alaska. The company serves commercial and industrial customers across the Pacific Northwest.
- Industry
- Material Handling Equipment & Forklift Sales/Service
- Address
- Renton, Washington, US
- Employees
- 55
- Founded
- 1969
Attack summary
Severity: critical — Confirmed exfiltration of massive scale: plaintext financial credentials enabling fraud against Fortune 50 companies; employee SSNs/tax IDs; customer security-sensitive facility blueprints; 33 GB of regulated data spanning 37+ years; direct operational risk to multiple critical vendors.AUR0RA claims to have exfiltrated the entire corporate file share spanning 1988–present, containing 337,000+ files across all departments and branches. The disclosure includes plaintext financial credentials, employee PII, customer facility blueprints, and decades of business records.
Data the group says was taken
AI dossier — extracted from the leak post- Plaintext credit card numbers (Excel spreadsheet)
- Employee Social Security numbers and Taxpayer IDs
- W-9 forms and government-contract payroll documents
- Plaintext vendor portal passwords (Target, Home Depot, Albertsons/Safeway)
- 33 GB customer warehouse CAD files (Nike, Google, Costco, Umpqua Bank facilities)
- Fixed-asset inventory and depreciation schedules
- Corporate bank routing and account numbers
- Employee direct-deposit details and time cards
- Disciplinary records and accident reports
- Decades of invoices and financial records
What the group claims
A 55-year-old forklift and warehouse equipment company headquartered in Renton, Washington, with branches across WA, OR, and AK. The dump is the entire corporate file share going back to 1988.
The leak post
captured from the group's site[ NorthWest Handling Systems — a 55-year-old forklift and warehouse equipment company headquartered in Renton, Washington, with branches across WA, OR, and AK. The dump is the entire corporate file share going back to 1988. 337,000+ files spanning every branch, every department, every era of the company. It includes: Plaintext credit card numbers in an Excel spreadsheet literally titled “C.O.D. info (CREDIT CARD INFO).xlsx” — stored at the root of the file server, unencrypted, for years. Social Security numbers and Taxpayer IDs on W-9 forms and certified payroll documents for government-contract work (USPS, Oregon DHS, public schools). 3+ years of plaintext passwords for Target Corporation’s vendor portal (TARS), stored in Word documents titled “TARGET PASSWORD & SECURITY QUESTIONS.” Each password rotation was saved as a new file. Home Depot Maximo DC billing credentials — plaintext, in a Word document, enabling fraudulent invoicing against a Fortune 50 company. Albertsons/Safeway Corrigo facility-management portal credentials — again, plaintext in a .docx file. 33 GB of customer warehouse CAD files — facility layouts, equipment placement, security-zone dimensions, and fire-protect…
Data the group says was taken
- credit card numbers
- Social Security numbers
- Taxpayer IDs
- W-9 forms
- certified payroll documents
- plaintext passwords
- vendor portal credentials
- CAD files
- fixed-asset data
- bank routing and account numbers
- ACH authorization forms
- employee direct-deposit details
- time cards
- disciplinary records
- accident reports
- invoices
Screenshot of the leak post
Sources
Source
Indexed 18 hours agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.