Adaptavist Group Investigates Security Breach as Ransomware Gang Claims Major Data Theft
UK-based enterprise software consultancy The Adaptavist Group is probing a security breach after an attacker accessed its systems using stolen credentials in late March 2024. The company, which specializes in tools for platforms like Atlassian’s Jira and Confluence, detected the incident and engaged external security experts to conduct a forensic investigation.
In a customer letter, CEO Simon Haighton-Williams stated that the accessed systems contained "typical business data," including contact details, contracts, and NDAs primarily limited to business card-level information such as names, emails, job roles, and company affiliations. Adaptavist maintains that there is no evidence of customer data being compromised or exfiltrated.
However, a ransomware group known as "The Gentlemen" has claimed responsibility, alleging a far more severe breach. Posting on its dark web leak site, the group boasts of a "complete infrastructure compromise" and a trove of stolen data, including hundreds of thousands of customer records, source code (e.g., for ScriptRunner), internal documents, credentials, and production systems. The group also made unverified claims about access to external customer environments.
Security researchers, including Trend Micro, identify "The Gentlemen" as a relatively new ransomware operation following a standard playbook: infiltrating networks with valid credentials, moving laterally, and exfiltrating data for leverage. Adaptavist has dismissed the gang’s claims, asserting that no evidence supports the alleged scope of the breach.
Adding to the complexity, Adaptavist has warned of impersonation attempts, with an unknown third party sending misleading communications to customers and partners under the guise of the company potentially exploiting the incident for phishing attacks. The investigation remains ongoing.
Source: https://www.theregister.com/2026/04/21/adaptavist_group_breach_spawns_impostor/
The Adaptavist Group cybersecurity rating report: https://www.rankiteo.com/company/theadaptavistgroup
"id": "THE1776761513",
"linkid": "theadaptavistgroup",
"type": "Ransomware",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Potentially hundreds of '
'thousands (alleged)',
'industry': 'Technology, IT Services',
'location': 'UK',
'name': 'The Adaptavist Group',
'type': 'Enterprise software consultancy'}],
'attack_vector': 'Stolen credentials',
'customer_advisories': 'Customer letter from CEO detailing the incident and '
'potential risks',
'data_breach': {'data_exfiltration': 'Alleged by ransomware group, no '
'evidence confirmed by Adaptavist',
'number_of_records_exposed': 'Hundreds of thousands (alleged)',
'personally_identifiable_information': 'Names, emails, job '
'roles, company '
'affiliations',
'sensitivity_of_data': 'Business card-level information '
'(names, emails, job roles, company '
'affiliations), alleged '
'high-sensitivity data (source code, '
'credentials)',
'type_of_data_compromised': ['Contact details',
'Contracts',
'NDAs',
'Source code (e.g., '
'ScriptRunner)',
'Internal documents',
'Credentials',
'Production systems']},
'date_detected': '2024-03',
'description': 'UK-based enterprise software consultancy The Adaptavist Group '
'is investigating a security breach after an attacker accessed '
'its systems using stolen credentials in late March 2024. A '
"ransomware group known as 'The Gentlemen' has claimed "
'responsibility, alleging a major data theft, though '
'Adaptavist maintains no evidence supports the alleged scope '
'of the breach.',
'impact': {'brand_reputation_impact': 'Potential due to impersonation '
'attempts and unverified claims',
'data_compromised': 'Business data (contact details, contracts, '
'NDAs), alleged customer records, source code, '
'internal documents, credentials, production '
'systems',
'identity_theft_risk': 'Potential (business card-level PII '
'exposed)'},
'initial_access_broker': {'entry_point': 'Stolen credentials',
'high_value_targets': 'Production systems, source '
'code, internal documents'},
'investigation_status': 'Ongoing',
'motivation': 'Data exfiltration, ransomware extortion',
'post_incident_analysis': {'root_causes': 'Stolen credentials used for '
'initial access'},
'ransomware': {'data_exfiltration': 'Alleged',
'ransomware_strain': 'The Gentlemen'},
'references': [{'source': 'Trend Micro'}],
'response': {'communication_strategy': 'Customer letter from CEO, warnings '
'about impersonation attempts',
'incident_response_plan_activated': 'Yes',
'third_party_assistance': 'External security experts engaged for '
'forensic investigation'},
'stakeholder_advisories': 'Warnings about impersonation attempts',
'threat_actor': 'The Gentlemen (ransomware group)',
'title': 'Adaptavist Group Security Breach Investigation',
'type': 'Security Breach, Ransomware'}