{ "id": "3eaac912-6883-4c5d-81cb-30fc716e31c6", "created_at": "2026-04-06T00:16:20.240178Z", "updated_at": "2026-04-10T03:30:21.097021Z", "deleted_at": null, "sha1_hash": "ebe4f250cea5d965baf24719ed9ab5ebb583191a", "title": "Clop ransomware gang is leaking confidential data from the UK police", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 189591, "plain_text": "Clop ransomware gang is leaking confidential data from the UK\r\npolice\r\nBy Pierluigi Paganini\r\nPublished: 2021-12-19 · Archived: 2026-04-05 14:08:52 UTC\r\n Pierluigi Paganini December 19, 2021\r\nClop ransomware gang stolen confidential data from the UK police and leaked it\r\nin the dark web because the victim refused to pay the ransom\r\nClop ransomware operators have stolen confidential information held by some British police, according to the\r\nmedia the cybercriminal gang targeted the IT firm Dacoll.\r\nAccording to the media, the cybercriminals compromised the systems at the company, which has access to\r\nthe police national computer, using a phishing attack.\r\nThe security breach was disclosed on Sunday by The Mail, while the group is releasing the stolen data on its leak\r\nsite on the dark web.\r\nThe security breach took place in October, Clop ransomware operators gained access to data managed by Dacoll,\r\nincluding that of the PNC, holding the personal information and records of 13 million people.\r\nDacoll confirmed the data breach.\r\n“We can confirm we were the victims of a cyber incident on October 5.” said a Dacoll spokesman. “We can\r\nconfirm we were the victims of a cyber incident on October 5. “We were able to quickly return to our normal\r\noperational levels. The incident was limited to an internal network not linked to any of our clients’ networks or\r\nservices.”\r\nStolen files include images of motorists exfiltrated from the national Automatic Number Plate Recognition\r\n(ANPR) system, footage, and close-up images of the faces of drivers who have committed traffic offenses.\r\n“The cyber-criminal gang Clop has released some of the material it plundered from an IT firm that handles access\r\nto the police national computer (PNC) on the so-called ‘dark web’ – with the threat of more to follow.” reported\r\nhttps://securityaffairs.co/wordpress/125792/cyber-crime/clop-ransomware-uk-police.html\r\nPage 1 of 2\n\nthe Daily Mail. “Clop is believed to have demanded a ransom from the company, Dacoll, after launching a\r\n‘phishing’ attack in October that gave it access to material, including that of the PNC, holding the personal\r\ninformation and records of 13 million people.”\r\nDacoll refused to pay and did not reveal the amount of ransom demanded by the ransomware gang. The company\r\nhas yet to reveal the extent of the security breach and which other information has been stolen.\r\nThe media pointed out that one of Dacoll’s subsidiaries, NDI Technologies, provides a ‘critical’ service for 90% of\r\nthe UK’s police forces, giving officers remote access to the PNC.\r\nThe National Cyber Security Centre is providing support to the investigation conducted by law enforcement.\r\n“We are aware of this incident and working with law enforcement partners to fully understand and mitigate any\r\npotential impact.” states a spokesman for National Cyber Security Centre.\r\nClop ransomware gang has been active since February 2019, it targeted many organizations and universities over\r\nthe years. Like other ransomware gangs, Clop operators implemented a double-extortion model leaking on their\r\nleak sites the data stolen from the victims that refused to pay the ransom.\r\nIn November, six alleged affiliates with the Clop ransomware operation were arrested in an international joint law\r\nenforcement operation, named Operation Cyclone, led by Interpol.\r\nFollow me on Twitter: @securityaffairs and Facebook\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, UK Police)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/125792/cyber-crime/clop-ransomware-uk-police.html\r\nhttps://securityaffairs.co/wordpress/125792/cyber-crime/clop-ransomware-uk-police.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securityaffairs.co/wordpress/125792/cyber-crime/clop-ransomware-uk-police.html" ], "report_names": [ "clop-ransomware-uk-police.html" ], "threat_actors": [ { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434580, "ts_updated_at": 1775791821, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ebe4f250cea5d965baf24719ed9ab5ebb583191a.pdf", "text": "https://archive.orkl.eu/ebe4f250cea5d965baf24719ed9ab5ebb583191a.txt", "img": "https://archive.orkl.eu/ebe4f250cea5d965baf24719ed9ab5ebb583191a.jpg" } }