A threat actor is allegedly selling a significant 24GB dataset purportedly belonging to Baxter Kelly Ltd, a prominent company in the United Kingdom’s energy efficiency and retrofit sector. Baxter Kelly is a key partner in government-backed initiatives like the ECO4 and Great British Insulation Scheme, holding important accreditations from bodies such as TrustMark and the BBA. The data, which has been offered for sale for $2,000, allegedly originates from the company’s internal systems and contains a vast amount of sensitive operational and customer information.
The seller claims the dataset is a “treasure trove” of confidential files, jeopardizing both the company’s commercial standing and its customers’ privacy. The exposure of such detailed information could provide competitors with strategic advantages or be exploited for other malicious activities. The data for sale allegedly includes:
- Customer Personally Identifiable Information (PII), including names, full addresses, and contact details.
- Detailed energy retrofit project information, including timelines and technical assessments.
- Technical specifications for materials and installation protocols.
- Internal company certifications, personnel qualifications, and field reports.
- Reduced Data Standard Assessment Procedure (RdSAP) reports containing energy performance ratings and consumption data.
The incident highlights the significant operational and reputational risks faced by companies handling sensitive infrastructure and customer data. The availability of proprietary business intelligence, technical specifications, and customer data on the dark web poses a serious threat, potentially impacting Baxter Kelly’s market position and contractual agreements.
