Cargus Data Breach Exposes 552,000 Customer and Business Records in Romania

The Cargus data breach has emerged as one of Romania’s most serious alleged data exposure events of the year after a threat actor began openly selling a large customer and business database claimed to belong to Cargus, one of the country’s largest courier and logistics companies. According to multiple dark web posts, the attacker is offering more than 552,000 individual records, each containing extensive personal, financial, and business profile information. Screenshots shared on cybercrime forums show full data samples, detailed field structures, and a listed price of 100 USD for the entire dataset.

Cargus is one of Romania’s oldest and most recognized courier companies. Because the company serves consumers, merchants, and enterprise clients across the country, a compromise of this scale could expose sensitive information tied to hundreds of thousands of Romanian residents and businesses. The threat actor claims that the dataset was exfiltrated recently and is being sold exclusively through private Telegram communication channels.

Background of the Cargus Breach

Cybercrime monitoring channels first flagged the Cargus data breach after a forum listing appeared advertising the sale of the “cargus.ro Romania Business Database.” The listing states that the database contains 552,659 total records and includes a sample preview of hundreds of rows of customer and business data. The attacker published a full field list, indicating a structured dataset rather than a random compilation of scraped or publicly available information.

Cargus operates national parcel delivery services, e-commerce shipping, courier logistics, and business-to-business freight solutions. The company handles large volumes of customer data, including addresses, phone numbers, pickup points, and company registration information. If the dataset is authentic, the breach would expose highly sensitive PII and business details on a massive scale.

• Company: Cargus (Romanian courier and logistics provider)
• Total Records Claimed: 552,659
• Data Format: Structured database with labeled fields
• Listing Price: 100 USD
• Threat Actor Communication: Telegram

The presence of internal identifiers, business registration numbers, and complete address structures suggests that the dataset likely originated from an internal customer or merchant database rather than from public sources. The alleged breach does not appear to involve ransomware or extortion threats at this time. Instead, the attacker is monetizing the data directly by selling a complete copy.

What Information Has Been Exposed

Screenshots shared on dark web marketplaces include field names and sample records that indicate a comprehensive leakage of both personal and business information. The Cargus data breach appears to involve data that could be used for identity theft, targeted scams, financial fraud, and large scale corporate impersonation schemes.

Allegedly Included Fields

• Full name
• Phone number
• Email address
• Home or business address
• Postal code
• City and locality
• User ID
• Pickup point references
• Complete address notes
• Company name
• CIF (company tax ID)
• Registration numbers
• Bank name
• Bank account number

The listed fields show that the attacker is not only selling low-impact contact information. Many records include corporate identity data, CIF numbers, and banking details, which could be leveraged for financial fraud or targeted spear-phishing campaigns.

Why This Dataset Is Particularly Dangerous

The Cargus data breach is significant due to the depth, accuracy, and volume of the exposed information. Attackers rarely gain access to such a large and organized dataset from a major courier company without exploiting internal systems or misconfigured databases. Even without confirmation from the company, the sample data posted by the attacker appears to be structured in a way that is typical of courier CRM systems or shipping management software.

Key Risks to Affected Individuals and Businesses

• Identity Theft: Full names, addresses, phone numbers, and emails enable attackers to impersonate customers or create fraudulent accounts.
• Business Fraud: CIF numbers and banking details can be used for corporate invoice fraud, impersonation, and payment redirection scams.
• Courier and Delivery Scams: Threat actors may use authentic customer details to send phishing messages disguised as package notifications.
• Financial Fraud: Records with financial data provide attackers with the information needed for social engineering or unauthorized transactions.
• Targeted Attacks: Attackers could use the data to map out business clients and execute more advanced cybercrime campaigns.

Courier companies process highly sensitive personal information, making them frequent targets for cybercriminals. Customer addresses and phone numbers are valuable on the black market because they can be used immediately in social engineering attacks that mimic delivery updates, customs alerts, or missed parcel notifications.

How the Database Was Advertised

The attacker posted the database under the title “Selling cargus.ro Romania Business Database.” The listing included:

• A field structure describing all the database columns
• A large blurred sample showing real entries
• A record count bar showing “Total Records: 552,659”
• A price of 100 USD
• A Telegram username for direct contact

The listing is hosted on a cybercrime forum where numerous regional business databases are bought and sold. These platforms are commonly used by data brokers, fraudsters, and phishing operators.

Potential Causes and Attack Vectors

While the exact cause of the Cargus data breach has not been confirmed, several realistic scenarios could explain the alleged compromise.

Possible Attack Methods

• Unsecured database exposure: Misconfigured cloud databases are one of the most common causes of mass data leaks in Europe.
• Compromised API or CRM system: Attackers may have gained unauthorized access to backend customer management tools.
• Breached partner or contractor: Courier companies often use third party IT vendors, which can introduce vulnerabilities.
• Insider theft: A disgruntled employee or contractor could have extracted the dataset.

If the breach originated from an exposed database, the attacker may have discovered an open instance lacking proper authentication or encryption. This type of incident is widespread among logistics companies with large volumes of customer information.

Impact on Romanian Consumers and Businesses

The Cargus data breach affects a significant portion of the Romanian population, especially individuals and small to medium sized businesses that rely on courier services for daily operations. Exposed financial and corporate data is particularly damaging because it allows criminals to perform business email compromise attacks, invoice scams, and targeted fraud campaigns.

Risks to Consumers

• Delivery scam messages mimicking Cargus notifications
• Phishing campaigns requesting payment or identity verification
• Unauthorized use of personal information for new accounts
• Home address exposure leading to privacy concerns

Risks to Businesses

• Fraudulent invoices claiming to originate from legitimate suppliers
• Banking detail impersonation attacks
• Exposure of customer base and logistical information
• Account takeover attempts using leaked emails and IDs

Because the database includes both consumer and corporate entries, criminals can tailor attacks to specific targets using accurate and verified data.

Steps Affected Individuals Should Take

While the authenticity of the dataset has not been officially confirmed, individuals and businesses who have used Cargus services should assume a high level of risk and take immediate precautions.

Recommended Actions

• Be cautious of unexpected delivery notifications or SMS messages.
• Do not click links in unsolicited parcel tracking messages.
• Monitor bank activity and financial accounts for suspicious charges.
• Change reused passwords associated with courier accounts.
• Enable multi factor authentication wherever possible.
• Use security tools to detect malware or unauthorized applications.

For malware detection and system protection, scanning devices with Malwarebytes can help identify any malicious software installed through phishing links or compromised attachments.

Regulatory Considerations

If verified, the Cargus data breach would fall under Romania’s enforcement of the EU’s General Data Protection Regulation. Breaches of this size require mandatory reporting to the National Supervisory Authority for Personal Data Processing and notification of affected individuals. Regulators may initiate an investigation into how such a large dataset was accessed and why it was not adequately protected.

GDPR penalties can be severe, including fines of up to 20 million euros or 4 percent of global turnover, depending on the nature of the violation and the company’s response.

Mitigation for Companies Using Cargus

Businesses that rely on Cargus services may need to evaluate the risk to their own customer records. Attackers could use leaked business information to impersonate vendors, send fraudulent invoices, or gain unauthorized access to accounts.

Recommended Business Mitigation Steps

• Audit internal systems for unauthorized changes or login attempts.
• Notify employees of increased risk of phishing and social engineering.
• Review all supply chain communication for authenticity.
• Rotate passwords and API keys used with shipping or CRM systems.

Ongoing Investigation

At the time of writing, Cargus has not released an official statement addressing the breach. Security researchers continue to monitor the forum listing, and the sample data appears credible enough to warrant caution even without verification from the company.

The attacker has not indicated that they will release the database publicly, but the low sale price suggests that the data may spread rapidly among cybercriminal communities.

For verified coverage of major data breaches and the latest cybersecurity threats, visit Botcrawl for ongoing updates and expert analysis on global digital security events.