Globus and Cosmos data breach
Data Breaches

Globus and Cosmos Data Breach Exposes Customer, Financial, and Travel Data

By Sean Doyle · · 6 min read

The Globus and Cosmos data breach has exposed customer records, booking histories, financial documents, and internal travel files after a ransomware attack claimed by the CL0P ransomware group. Threat intelligence sources monitoring CL0P’s leak portal report that files attributed to Globus and Cosmos were listed for publication following unsuccessful ransom negotiations. The stolen dataset reportedly contains passenger details, payment records, supplier contracts, and internal correspondence relevant to worldwide tour operations.

Background of the Globus and Cosmos Data Breach

Globus and Cosmos operate as part of the Globus family of brands, providing guided tours and packaged travel services across North America, Europe, Asia, and other regions. The organization processes high volumes of traveler data, including names, contact information, passport numbers, itinerary details, and payment information. These records represent high value to ransomware operations that use double extortion tactics where data theft accompanies on-premises encryption.

The CL0P ransomware group is a prolific criminal operation that frequently targets enterprise environments, often exploiting vulnerabilities in file transfer solutions and third-party integrations. CL0P’s playbook typically includes initial access via phishing or vulnerable managed file transfer software, credential harvesting, lateral movement, data exfiltration, and final encryption. Stolen files are then posted on the group’s leak portal or sold to other criminal actors if payments are not made.

Indicators and Timeline

Open source reporting and dark web monitoring first flagged the Globus and Cosmos data breach when CL0P added a new victim page to its leak site. The timeline is preliminary but follows a familiar pattern observed in prior CL0P incidents: initial reconnaissance and access, several days of data collection, and then data staging for exfiltration prior to triggering encryption. For victims of similar CL0P attacks, forensic timelines frequently reveal weeks of covert access before the encryption event.

  • Observed: November 11, 2025 (CL0P leak listing)
  • Threat actor: CL0P ransomware group
  • Attack type: Double extortion ransomware with data exfiltration
  • Reported data exposed: Customer personal details, booking records, financial documents, internal communications

Scope of Data Exposure

The publicly visible details from CL0P’s leak listing indicate a wide scope of stolen material. Reported items include:

  • Customer names, email addresses, phone numbers, and mailing addresses
  • Booking reservations and itinerary details, including travel dates and accommodations
  • Payment and invoice records, which may include partial card details or transaction metadata
  • Employee records and internal HR documents
  • Supplier contracts, invoices, and partner communications
  • Internal operational documents, schedules, and correspondence

When combined, these records present a multi vector risk. Exposed booking data can be used to craft highly convincing spear-phishing campaigns. Financial and invoice records enable fraud against suppliers and partners. Personal identifiers such as passport numbers and full names increase the risk of identity theft and cross platform account takeover if credentials have been reused.

How CL0P Typically Gains Access

CL0P’s operations have repeatedly exploited weaknesses in enterprise file transfer solutions and third-party services. Known intrusion vectors include:

  • Exploitation of unpatched vulnerabilities in managed file transfer platforms such as MOVEit Transfer or Accellion FTA
  • Credential theft through phishing or compromised vendor accounts
  • Abuse of remote access services and exposed administration interfaces
  • Supply chain compromise where a third-party vendor is used as a pivot point

Once inside, attackers often deploy tools for credential harvesting and persistence, perform targeted searches for high value data, compress and exfiltrate selected files, and then deploy ransomware payloads to maximize operational disruption. The combination of theft plus encryption pressures victims to consider payment to reduce the chance of public data release.

Potential Impact on Travelers and Partners

The Globus and Cosmos data breach may have immediate and long term consequences for affected travelers and business partners. Potential impacts include:

  • Identity theft risk from leaked personal and passport information
  • Financial fraud targeting customers and suppliers from exposed transaction records
  • Targeted phishing and booking scams that leverage authentic itinerary data
  • Operational disruption to bookings, customer service, and partner coordination
  • Regulatory reporting obligations in multiple jurisdictions depending on the location of affected individuals

Travelers who used Globus or Cosmos services should be alert for suspicious emails or calls requesting payment updates or login credentials. Customers should verify any change requests directly through official company channels and avoid clicking links in unsolicited messages. Monitoring bank and card statements for unauthorized charges is strongly recommended.

Forensic and Response Actions

Organizations responding to CL0P style incidents typically follow a sequence of containment and investigation steps. Recommended actions for an affected company include:

  • Engage experienced incident response and forensic teams to preserve and analyze logs
  • Isolate affected systems and disconnect compromised interfaces from production networks
  • Identify and contain lateral movement and persistence mechanisms
  • Conduct a full inventory of exposed data and map regulatory notification requirements
  • Coordinate with law enforcement and industry CERTs to share indicators of compromise

For partners and suppliers, it is critical to rotate shared credentials, audit API tokens, and suspend integrations that may have been abused until a full security assessment is complete.

Prevention and Hardening Recommendations

The travel industry must adopt robust security controls to reduce the likelihood and impact of future breaches. Recommended controls include:

  • Strict patch management for all public facing applications and managed file transfer solutions
  • Network segmentation to prevent lateral movement between business critical systems
  • Multi factor authentication for administrative accounts and third-party vendor access
  • Continuous monitoring and EDR solutions to detect anomalous file access and exfiltration behavior
  • Offline backup strategies with air gapped copies to enable recovery without negotiation
  • Regular third-party risk assessments and stricter supply chain security controls

What Affected Individuals Should Do

If you booked travel with Globus or Cosmos, take these steps immediately:

  • Verify any unusual booking changes directly with the company through verified channels
  • Monitor bank and credit card statements for unauthorized transactions
  • Consider placing a fraud alert or credit freeze if financial data was exposed
  • Enable multi factor authentication on email and financial accounts
  • Run a reputable security scan on devices that were used to access booking accounts, for example using Malwarebytes

The Globus and Cosmos data breach fits a broader trend of large scale ransomware operations targeting companies that handle significant volumes of personal and financial data. CL0P has been linked to multiple high impact incidents this year where data exfiltration preceded encryption and public disclosure. Security analysts point to a rising pattern of attacks leveraging vulnerable third-party software and supply chain weaknesses, a theme that is also visible in other major breaches such as the Knownsec data breach where stolen tools and sensitive files had broad geopolitical implications.

Data Breach Summary

  • Company: Globus and Cosmos
  • Industry: Leisure and travel
  • Location: United States
  • Threat Actor: CL0P ransomware group
  • Type of Incident: Ransomware with data exfiltration
  • Data Compromised: Customer personal data, booking records, financial documents, internal communications
  • Current Status: Listed on CL0P leak portal

All affected parties should expect ongoing updates as forensic reviews progress and official incident notices are issued. For continuous coverage of major breaches and security alerts, visit Botcrawl’s data breaches category for real time updates and analysis.

For verified coverage of major data breaches and the latest cybersecurity threats, visit Botcrawl for ongoing updates and expert analysis on global digital security events.

Sean Doyle

Sean is a tech author and security researcher with more than 20 years of experience in cybersecurity, privacy, malware analysis, analytics, and online marketing. He focuses on clear reporting, deep technical investigation, and practical guidance that helps readers stay safe in a fast-moving digital landscape. His work continues to appear in respected publications, including articles written for Private Internet Access. Through Botcrawl and his ongoing cybersecurity coverage, Sean provides trusted insights on data breaches, malware threats, and online safety for individuals and businesses worldwide.

View all posts →

Related Posts

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.