> incident: Capgemini data breach —— date: September 2024 —— volume: 20 GB —— actor: grep —— status: leaked on BreachForums<span class="cursor-blink">_</span>_
On 12 September 2024, a threat actor using the alias 'grep' posted on BreachForums — one of the internet's most active cybercrime marketplaces — claiming to have compromised Capgemini's systems and exfiltrated 20 GB of sensitive data. The stolen data was offered for download to fellow forum users, with select samples shared publicly to validate the claim.
Capgemini is a French multinational IT services and consulting company headquartered in Paris, operating in over 50 countries with more than 337,000 employees. The company generated €22.5 billion in revenue in 2023. Its clients include some of the world's largest organisations across finance, healthcare, manufacturing, government, and telecommunications. In July 2024 — just two months before the breach was announced — Capgemini won a controversial UK government contract worth up to £574 million to run HMRC's legacy tax management systems until 2029.
As of the time of reporting, Capgemini had not formally confirmed or denied the breach, declining to comment to multiple media outlets. T-Mobile US subsequently stated that its virtual machines were not caught up in the leak, though the attacker's posted samples appeared to include T-Mobile VM log files.
The data the attacker claims to have exfiltrated is not customer records or personal data in the conventional sense — it is far more operationally damaging. This is infrastructure data: the credentials, keys, source code, and configuration details that underpin how Capgemini and its clients' systems actually work.
| Data Category | What Was Exposed | Why It Matters |
|---|---|---|
| Source Code | Source code for various projects managed by Capgemini. Project files and development artefacts. | Exposes intellectual property. Allows attackers to identify vulnerabilities in applications before they are discovered by defenders. If client projects are included, the exposure extends beyond Capgemini to every organisation whose code was managed by the firm. |
| Credentials and Password Hashes | Employee names, email addresses, usernames, and password hashes. SQL entries listing employee credentials and user permissions. | Hashed passwords can be cracked, particularly if older hashing algorithms were used. Compromised credentials enable further access to internal systems. Employee email addresses feed targeted phishing campaigns. User permission data reveals who has access to what — an attacker's roadmap. |
| Private Keys and API Keys | Cryptographic private keys and API keys for internal and potentially client-facing services. | Private keys enable impersonation of services, decryption of encrypted communications, and signing of malicious code as if it came from a trusted source. API keys provide direct programmatic access to services — potentially bypassing all authentication controls. |
| Cloud Infrastructure Configuration | Internal configuration details for client cloud infrastructure. Terraform files for infrastructure-as-code deployments. Backup archives. | Cloud configuration files reveal the architecture, access controls, service endpoints, and security posture of client environments. Terraform files describe entire infrastructure deployments — an attacker with these files knows exactly how the target environment is built. |
| T-Mobile VM Logs | Log files reportedly generated by virtual machines associated with T-Mobile — a Capgemini client. | VM logs can reveal system activity, network connections, user behaviour, security events, and internal IP addressing. Even if T-Mobile's production systems were not directly compromised, log data from managed infrastructure provides intelligence for further targeting. |
| Employee Data | Lists of Capgemini employees with names, email addresses, usernames, and password hashes. | Enables targeted spear-phishing against Capgemini staff. Credential stuffing attacks against other services where employees may reuse passwords. Social engineering using knowledge of internal usernames and email formats. |
The attacker noted that Capgemini 'had more data but I decided to exfiltrate only big files, company confidential, Terraform, and many more.' This statement — if accurate — suggests the attacker had broad access to Capgemini's systems and made deliberate choices about what to steal, prioritising infrastructure configuration and credentials over volume.
The Capgemini breach illustrates one of the most significant and least-addressed risks in modern cybersecurity: supply chain compromise through managed service providers. Capgemini is not just a software company that was breached — it is an IT services and consulting firm that manages infrastructure, develops applications, and holds privileged access to client environments across dozens of countries and industries.
The alias 'grep' — named after the Unix command-line utility for searching text patterns — is a BreachForums user who has been active in claiming and leaking data from compromised organisations. The choice to post on BreachForums rather than demanding ransom directly from Capgemini suggests motivation beyond pure financial gain — whether for reputation within the criminal community, ideological reasons, or because ransom negotiations failed or were never attempted.
The attacker's claim that they 'decided to exfiltrate only big files, company confidential, Terraform, and many more' indicates selective exfiltration — choosing high-value data rather than bulk copying everything available. This suggests either operational experience (knowing what is valuable), time constraints (needing to exfiltrate quickly before detection), or both. The selective approach is consistent with a motivated, experienced threat actor rather than an opportunistic script kiddie.
| Impact Area | Assessment |
|---|---|
| Capgemini Employees | Compromised credentials (even hashed) put employees at risk of credential stuffing and targeted phishing. Every employee whose details were exposed should assume their credentials are compromised — change passwords on all services, enable MFA where not already active, and be alert to targeted phishing using internal knowledge. |
| Capgemini Clients | Clients whose cloud configuration details, Terraform files, API keys, or source code were included in the exfiltrated data face direct risk. These organisations should assume their infrastructure architecture is known to adversaries and conduct security reviews accordingly — particularly reviewing API key validity, rotating credentials, and auditing access controls. |
| T-Mobile | T-Mobile US stated its virtual machines were not caught up in the leak. However, the presence of files labelled as T-Mobile VM logs in the attacker's posted samples warrants investigation regardless of T-Mobile's public statement. VM logs — even from non-production environments — can reveal network architecture, naming conventions, and security configurations. |
| UK Government (HMRC) | Capgemini's £574 million contract to run HMRC's legacy tax management systems makes any breach of Capgemini's infrastructure a matter of national concern. There is no public evidence that HMRC data was included in this breach, but the proximity — a major government contract won two months before a significant data theft — underscores the supply chain risk to government. |
| Capgemini's Reputation | An IT services and consulting firm that sells digital transformation and cybersecurity services being breached creates a fundamental credibility problem. Capgemini's silence — declining to confirm or deny the breach — compounds the reputational damage rather than addressing it. Transparency in incident response builds trust; silence erodes it. |
The Capgemini breach is a supply chain security incident. A €22 billion IT services firm that manages infrastructure, develops software, and holds privileged access to client environments across the globe was compromised, and 20 GB of operationally sensitive data — source code, credentials, private keys, cloud configuration files, and employee information — was exfiltrated and published on a dark web forum.
The data stolen is not the kind that fuels identity theft — it is the kind that fuels further intrusions. Private keys, API keys, Terraform files, and cloud infrastructure configurations are the tools an attacker needs to move from 'I have information about this organisation' to 'I have access to this organisation'. Every Capgemini client whose data may have been included in the exfiltration should treat this as a direct security incident requiring immediate credential rotation, access review, and enhanced monitoring.
Capgemini's silence underscores a broader problem: organisations that suffer breaches have a responsibility to be transparent — not just with regulators, but with the clients and partners whose data they hold. When an IT services provider is breached, every client is potentially affected. Those clients deserve to know what happened, what was exposed, and what they need to do. The cybersecurity community will draw its own conclusions from silence, and those conclusions will not be charitable.
Our supply chain security assessments evaluate the security posture of your critical third-party providers — MSPs, cloud partners, development firms — and identify where your data, credentials, and infrastructure access are exposed to supplier-side risk. We help you build contractual controls, monitoring, and response plans that address the reality that your suppliers will eventually be breached.