Ransomware victim disclosure
← All victimsArup Group
Claimed by fulcrumsec · listed 11 days ago
Status timeline
- Listed
May 10, 2026
- Data leaked
At a glance
- Group
- fulcrumsec
- Status
- Data leaked
- Country
- GB
- Sector
- Business Services
- Listed on leak site
- May 10, 2026
About the victim
AI dossier — public-source company profileArup Group is a British multidisciplinary engineering and architecture consultancy founded in 1946 by Sir Ove Arup. The firm is employee-owned through a trust structure, employs approximately 17,000 people across 90 offices in 34 countries, and generates roughly £2.16 billion in annual revenue. Arup is responsible for landmark projects including the Sydney Opera House, the Pompidou Centre, and Beijing's CCTV Headquarters, and operates proprietary software subsidiaries including Oasys and NeuronCloud.
- Industry
- Engineering & Architecture Consultancy
- Address
- 13 Fitzroy Street, London, W1T 4BQ, United Kingdom
- Employees
- 17000
- Founded
- 1946
Attack summary
Severity: critical — Confirmed exfiltration of ~5 TB of data including large-scale PII (129,000+ named landowners with addresses and financial details, 313,650 surveillance records), sensitive infrastructure data for critical national projects (HS2, major transport), commercial source code of sold software products, valid cryptographic certificates and private keys, client operational data for named entities including a hospital, and physical security vulnerability maps of Arup's own premises — spanning multiple catThe group claims to have exfiltrated approximately 5 terabytes of data between September 2025 and April 2026 via a hardcoded GitHub personal access token, pivoting through Azure Blob Storage, AWS S3, and database infrastructure; no encryption of systems is claimed. Data published includes over 700 GB of private GitHub repositories, nearly 2 TB of cloud storage and database backups, 313,650 surveillance records, 129,000+ landowner PII files, proprietary source code, credentials, and certificates.
Data the group says was taken
AI dossier — extracted from the leak post- Private GitHub repositories (9,880+ repos, ~700 GB compressed)
- Azure Blob Storage contents (29 accounts, ~2 TB)
- AWS S3 bucket contents (44 Neuron buckets)
- AWS Redshift and RDS database backups
- Neo4j graph database contents
- 39 Neuron BMS client databases (Hong Kong)
- 49 GB Odoo ERP data
- 129,455 A66 landowner PII files (names, addresses, financial negotiation details)
- 120,000+ compulsory purchase process emails (.msg)
- 313,650 ICC surveillance records
- 37,835 Queensferry Crossing internal documents
- ArupCompute proprietary engineering platform source code
- Oasys GSA, AdSec, and Compos commercial software source code
- NeuronCloud smart building IoT platform source code and client configs
- Tunnel optimisation algorithm source code (HS2, Melbourne Metro, Ontario Line)
- HS2 Euston Station engineering data and 14,000+ sensor records
- Amazon facility seismic vulnerability assessments (named Seattle sites)
- BP Clean Energy Logistics Hub site selection data with geocoordinates
- Arup office physical security vulnerability assessments
- Apple Enterprise and Developer ID code-signing certificates with plaintext passwords
- Oasys commercial code-signing certificate
- RSA private keys for IoT gateways (Kings Cross, 8 Fitzroy Street)
- Azure AD client secrets
- AWS access keys
- SharePoint OAuth credentials
- GCP production payment gateway credentials
- SSL certificates
- Hardcoded database connection strings
- Oasys GSA P-Delta calculation defect documentation (Jira export)
Original description
AI-summarised, not from the leak postArup Group is a British multinational professional services firm headquartered in London, United Kingdom. Founded in 1946, it operates in the engineering, design, planning, and consulting industries. The firm provides structural, civil, mechanical, and electrical engineering services, alongside architecture and project management. Arup works across sectors including infrastructure, buildings, transport, and energy, delivering projects in over 140 countries worldwide.
The leak post
captured from the group's site[DOWNLOAD GITHUB REPOS (~377 GB compressed — onion link)](http://4e3p3in2bl67hxchuwza7qvnpe7pyeloyztr5fnh257fxkovfhappjyd.onion/arup-repos-data/) [AZURE STORAGE, NEURON S3 & DATABASES — FULL ARCHIVE LIST](http://4e3p3in2bl67hxchuwza7qvnpe7pyeloyztr5fnh257fxkovfhappjyd.onion/arup/archives/) Over 700 GB of private GitHub repositories • nearly 2 TB of Azure Blob Storage, AWS S3 buckets, and database backups • 9,880+ private repos • 39 Neuron BMS client databases • 49 GB of Odoo ERP • 129,000+ A66 landowner files • 313,650 ICC surveillance records • 37,835 Queensferry Crossing internal documents • Apple code-signing certificates with plaintext passwords • the complete ArupCompute and Oasys source code Arup Group is a British engineering consultancy founded in 1946 by Sir Ove Arup. They are employee-owned through a trust structure, employ about 17,000 people across 90 offices in 34 countries, and generate roughly £2.16 billion in annual revenue. They engineered the Sydney Opera House, the Pompidou Centre, and Beijing’s CCTV Headquarters. They are good at what they do. This is a difficult breach to write up for several reasons. 1) We spent close to half a year analysing the data, the mos…
Sources
Source
Indexed 11 days agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.