{ "id": "4945adc2-a5f8-4ab9-965d-11ff85227f1c", "created_at": "2026-04-06T00:18:13.762951Z", "updated_at": "2026-04-10T03:23:51.353132Z", "deleted_at": null, "sha1_hash": "085836ce4821916fa5b0e26d4c1c32bb6b61cc29", "title": "Leading toy maker Mattel hit by ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1810097, "plain_text": "Leading toy maker Mattel hit by ransomware\r\nBy Lawrence Abrams\r\nPublished: 2020-11-03 · Archived: 2026-04-05 13:13:07 UTC\r\nToy industry giant Mattel disclosed that they suffered a ransomware attack in July that impacted some of its business\r\nfunctions but did not lead to data theft.\r\nMattel is the second-largest toymaker in the world with 24,000 employees and $5.7 billion in revenue for 2019. Mattel is\r\nknown for its popular brands, including Barbie, Hot Wheels, Fisher-Price, American Girl, and Thomas \u0026 Friends.\r\nIn a 10-Q form filed with the Securities and Exchange Commission (SEC), Mattel disclosed that it suffered a ransomware\r\nattack on July 28th, 2020.\r\nhttps://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/\r\nPage 1 of 3\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/\r\nPage 2 of 3\n\nVisit Advertiser websiteGO TO PAGE\r\n\"On July 28, 2020, Mattel discovered that it was the victim of a ransomware attack on its information technology systems\r\nthat caused data on a number of systems to be encrypted. Promptly upon detection of the attack, Mattel began enacting its\r\nresponse protocols and taking a series of measures to stop the attack and restore impacted systems. Mattel believes it has\r\ncontained the attack and, although some business functions were temporarily impacted, Mattel was able to restore its critical\r\noperations.,\" the toymaker stated in their filing.\r\nAfter conducting their investigation, Mattel does not believe that any data was stolen during the ransomware attack.\r\n\"A forensic investigation of the incident has concluded, and no exfiltration of any sensitive business data or retail customer,\r\nsupplier, consumer, or employee data was identified,\" Mattel further stated in their filing.\r\nThe filing does not indicate what ransomware operation was responsible for the attack, but a source told BleepingComputer\r\nthat Mattel suffered a TrickBot infection in July.\r\nTrickBot infections are known to lead to network-wide compromises eventually followed by Ryuk or Conti ransomware\r\nactors encrypting devices on the infiltrated network.\r\nBleepingComputer contacted Mattel with further questions about the attack but has not heard back at this time.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/leading-toy-maker-mattel-hit-by-ransomware/" ], "report_names": [ "leading-toy-maker-mattel-hit-by-ransomware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434693, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/085836ce4821916fa5b0e26d4c1c32bb6b61cc29.pdf", "text": "https://archive.orkl.eu/085836ce4821916fa5b0e26d4c1c32bb6b61cc29.txt", "img": "https://archive.orkl.eu/085836ce4821916fa5b0e26d4c1c32bb6b61cc29.jpg" } }