[German]Another topic that I came across yesterday on the web. Major electronics distributor Avnet has confirmed that there has been a partial data leak in the EMEA region. However, third parties would not be able to use the data as it is "unreadable." An attacker claims to have stolen 1.3 terabytes of compressed data, including personal data in plain text.
On the one hand, a reader pointed out the issue to me in an email this morning (thanks for that). Urs wrote to me: "An email from AV-Net has been circulating for the past few days. It's one of the two major distributors for MS products in Europe." On the other hand, I also saw the following tweet, which refers to the Bleeping Computer article I've been aware of since yesterday.
Who is Avnet?
Avnet is a US electronics wholesale group based in Phoenix. Among other things, the company sells electrical components and cables. The semiconductor product range accounted for around 76% of sales (over US$17 billion this year) in the 2020 financial year.
Bleeping Computer got a tip from an attacker
The colleagues at Bleeping Computer apparently received a tip from an attacker. The attacker claimed to have penetrated Avnet's IT system and stolen 1.3 TB of compressed data (between 7 and 12 TB of raw data). This included details of the company's activities in EMEA and other regions.
The hacker apparently broke into the Avnet system for financial gain and set up a leak website on the dark web to blackmail the company into paying a ransom by threatening to disclose the data. According to Bleeping Computer, Avnet discovered the attack on September 26, 2025, and immediately began rotating all credentials in its Azure/Databricks environments. After that, no further accesses were reported. However, the incident was not publicly disclosed by the company.
What Avnet says about this
According to the above article, AVNet have confirmed to Bleeping Computer upon request that there had been a data breach. Our colleagues quote a company spokesperson as saying: "Avnet recently discovered unauthorized access to an externally hosted cloud storage service that supports an internal sales tool for the EMEA region."
The AVNet company spokesperson thus confirms that an unauthorized third party accessed a database in the cloud. This database was hosted on an external service and contained information for the EMEA region (Europe, Middle East, Africa).
AVNet told Bleeping Computer that the stolen data cannot be read without special tools. "Most of the data cannot be easily read without access to Avnet's proprietary sales tool. This tool remains secure and has not been compromised by this incident," said a company spokesperson.
Bleeping Computer was able to view some data samples and writes that the data contained therein is in plain text and includes personally identifiable information (PII). The colleagues write that Avnet confirmed this, but added that "this is not sensitive information within the meaning of the GDPR."
This is where it gets legally tricky: if personal information has been stolen, this is a GDPR incident which, in my opinion, should have been reported to the data protection supervisory authority in Europe within 72 hours. If the data is available in plain text, this is already a more critical stage in terms of the GDPR than if the data leak only affects encrypted data.
On the subject of "sensitive information within the meaning of the GDPR," I refer to my article EasyPark victim of a cyberattack, data extradicted (Dec. 2023) where a company had also enlisted its legal experts to sugarcoat the situation.
The statement that no data was stolen that is considered "sensitive" is taken by the "specialists" from this EU classification of the legal basis for data processing within the meaning of the GDPR, which explicitly deals with which data (sexual orientation, race/ethnicity, genetic and health data, etc.) falls under this legal basis. The legal basis describes the conditions under which companies may process this data at all.
A connection is therefore made in a completely different context as to which data is sensitive—and this has little to do with the colloquial idea of what is sensitive personal data.
Addendum: According to the comment below I've viewed some samples – it's always plain text csv files with customer data. I was able to identify customer here in Europe.
The attackers, who call themselves "the Threat Thespians of Fulcrum Security," claim to have compromised Avnet's entire infrastructure and stolen over 1.3 TB of highly compressed data. This data is mainly stored as snappy.parquet partitions. The raw data comprises between 7 and 12 TB uncompressed. The data is global, but coverage of their EMEA activities appears to be complete, they say.
Worse still, the group writes that during the hack, they used Avnet's stolen OpenAI API keys to generate a rough report on the incident. The API keys were also used to create additional enumeration and exfiltration scripts. That doesn't sound to good for Avnet.
Avnet is lying through their teeth.
1) All the data was in plain text, around ~100gb in .csv form, and the other terabyte in what Avnet calls "unreadable" form without their "proprietary tools", but are simply parquet partitions. You can read it in DBeaver or use the pandas library to view the tables, yes, in plaintext.
2) There is a great deal of PII. Naturally their lawyers will fight this, because they didn't disclose until we contacted the press.
Hopefully they are being more honest with their customers, employees, and stakeholders, because ALL of their data is on the line here — but we sort of doubt it.
You can view some samples here: ***
—–
GB: I deleted the links for legal reasons – but will have a look at the samples – and if it is worth, to write a follow up article. So thanks for your post.