The European Space Agency (ESA) has confirmed a serious cybersecurity incident and reported the case to law enforcement, following claims by a hacker group that it exfiltrated around 500 GB of sensitive internal data. The alleged trove includes technical documentation on spacecraft and missions, operational procedures for critical systems, and files from major contractors such as SpaceX, Airbus Group, and Thales Alenia Space.
How the ESA cyber attack allegedly happened
A group calling itself Scattered Lapsus$ Hunters told media outlets that it gained access to ESA’s internal infrastructure as far back as September last year. According to the group, the intrusion began with exploitation of a publicly disclosed vulnerability in one of ESA’s externally facing services. This typically means a known security flaw for which a patch or mitigation already exists, but was not deployed in time.
More concerning is the group’s assertion that the underlying vulnerability remains unpatched, allowing them to maintain persistent access to live systems. If accurate, this points not only to a technical gap but also to weaknesses in vulnerability management and security monitoring processes—core controls for any operator of critical infrastructure.
An ESA spokesperson confirmed the occurrence of a cyber incident and stated that the agency had notified judicial authorities, which are now conducting a criminal investigation. ESA declined to comment on specific details, including the size of the data leak or the exact nature of the exploited vulnerability, which is standard practice while forensic work and legal proceedings are underway.
What data may have been exposed in the ESA breach
Leak of spacecraft technical documentation and operational procedures
File samples shared with journalists suggest that the stolen data set covers both internal ESA documentation and contractor materials. These reportedly include operational runbooks, emergency response plans, security procedures, failure modes and tolerances for spacecraft, information on the Earth Observation satellite constellation, and documentation on spacecraft attitude and orbit control.
Such material goes far beyond intellectual property. In the space domain, documentation describing failure scenarios, control logic and contingency operations is considered highly sensitive, as it can be used to refine sabotage attempts, industrial espionage, or targeted cyber attacks against satellite services.
Impact on contractors and national space programs
In addition to high-profile names such as SpaceX, Airbus Group, and Thales Alenia Space, other affected partners reportedly include OHB System AG, EUMETSAT, Sener, Teledyne, Leonardo and several more. This amplifies the characteristics of a supply chain attack, in which compromising a central hub—here, ESA—provides indirect access to the sensitive information of a broader ecosystem of suppliers and partners.
The incident also appears to touch national and international space programs. Referenced projects include the Greek national space program and scientific missions like the Next Generation Gravity Mission (NGGM), FORUM (Far-infrared Outgoing Radiation Understanding and Monitoring), and TRUTHS (Traceable Radiometry Underpinning Terrestrial- and Helio-Studies). Loss of confidentiality around such programs can disrupt international collaboration, certification processes and assurance activities for satellite systems.
Pattern of previous ESA incidents and systemic security challenges
This event follows closely on another reported compromise. In December, a user on the BreachForums marketplace advertised more than 200 GB of ESA-related data, allegedly including source code, API tokens, configuration files and credentials believed to be extracted from private Bitbucket repositories. Together, these incidents indicate sustained interest by threat actors in ESA’s engineering and operational documentation.
Historically, ESA has faced several notable cyber incidents. In 2024, a webshop associated with the agency’s brand was infected with a web skimmer designed to harvest payment card data. In 2015, SQL injection vulnerabilities across three domains led to the exposure of subscriber and staff information. In 2011, attackers published administrator credentials and server configuration files. Viewed in combination, these cases underline the strategic need for continuous hardening of the digital attack surface and improvement of internal security governance.
Broader risks for the space sector and cybersecurity lessons
European and international cybersecurity reports consistently highlight the trend this incident fits into. ENISA’s Threat Landscape reports and Verizon’s Data Breach Investigations Report (DBIR) have, over recent years, emphasized the rising frequency and impact of supply chain compromises and attacks against operators of critical infrastructure. The space sector sits at the intersection of both trends, linking government agencies, commercial primes and a dense network of subcontractors.
For organizations involved in space missions and other high‑tech programs, several priority measures emerge clearly from the ESA case. These include strict control of publicly accessible services and fast remediation of known vulnerabilities; regular access reviews for source code repositories; strong network segmentation and least‑privilege access models; and thoroughly tested incident response playbooks that explicitly cover partners, suppliers and regulators.
The ESA cyber attack underscores that space infrastructure is already a primary target for cybercriminals and potentially more advanced threat actors. Organizations operating satellites, ground segments and supporting services should reassess their cybersecurity posture with a focus on vulnerability management, protection of technical documentation and reduction of supply chain risk. The earlier these controls are strengthened, the lower the likelihood that the next major breach in the space industry will escalate from a reputational problem into a technological or geopolitical crisis.
