The ransomware group Qilin has included the Spanish company Mediapost in its dark web leak portal with a publication exposing personal data and sensitive documentation. Among the files attributed to the attack are first names, last names, national identification numbers, driver's licenses, passports, usernames, emails, physical addresses, phone numbers, and confidential information.
The breach affects a company that works in relational marketing, advertising distribution, and omnichannel communication for sectors such as retail, consumer goods, automotive, banking, and telecommunications, but so far neither the technical details of the incident nor the exact number of people affected have been disclosed.
Qilin Accumulated More Than 700 Claimed Victims in 2025
Qilin, also known as Agenda, is a ransomware-as-a-service group identified in 2022. Its operation is based on affiliates who carry out attacks in exchange for a percentage of the ransom.
Consulted cybersecurity reports attribute more than 700 claimed victims in 2025 to its activity. The scope of these campaigns affects sectors such as manufacturing, finance, retail, healthcare, technology, public administrations, and professional services.
Mediapost's appearance on this portal places the Spanish company on a list that has already included targets from different countries and profiles. Among them are the UK's National Health Service, the Japanese company Asahi, the biotech company Inotiv, and the US conglomerate Lee Enterprises.
The Group Had Already Hit the Tax Agency and Los Madroños Hospital
In Spain, Qilin has also claimed attacks against the engineering firm Altius, the winery Grandes Vinos, the Tax Agency, the insurer Asefa, and Los Madroños Hospital. This list shows that the group's activity is not limited to a single sector or a single scale of organization.
So far, it has not been made public how many people may be affected by the publication linked to Mediapost. Nor has any information been disclosed about the initial access, the attackers' dwell time in the systems, or the technical measures deployed after the incident.
Furthermore, the entity Escudo Digital has already contacted the company to request information about the attack and the measures applied after the data was published on the dark web.