Estrumar Metalworks Data Breach Linked to SAFEPAY Ransomware Group

The Estrumar Metalworks data breach has emerged following the addition of the company to the SAFEPAY ransomware group’s dark web extortion portal. Estrumar Metalworks, formally known as Metálicas Estrumar, is a Spain based metal fabrication and structural engineering firm headquartered in Burgos, Castilla y León. The SAFEPAY group claims to have compromised internal systems associated with the company and is listing the organization as a victim pending further data publication.

SAFEPAY ransomware actors typically follow a double extortion model, where sensitive corporate data is exfiltrated prior to or alongside system encryption. While the full scope of the Estrumar Metalworks data breach has not yet been publicly disclosed, the appearance of the company on the group’s leak portal indicates that proprietary business data, internal documentation, or employee information may be at risk. Manufacturing and industrial engineering firms are increasingly targeted due to their reliance on legacy systems, distributed operational networks, and sensitive project documentation.

Estrumar Metalworks operates in the metal fabrication and structural engineering sector, supporting industrial construction, infrastructure projects, and custom metal solutions. Companies in this sector often store detailed blueprints, client contracts, supplier pricing structures, and engineering specifications. A data breach affecting such systems can have significant downstream effects across supply chains and active construction projects.

Background on the Estrumar Metalworks Data Breach

Estrumar Metalworks has established itself as a regional provider of metal fabrication and structural engineering services in Spain. The company works with industrial clients that require precision manufacturing, steel structures, and engineered metal components. These operations depend heavily on digital design files, internal project management systems, and communications with contractors and suppliers.

The Estrumar Metalworks data breach surfaced after SAFEPAY added the company to its list of victims, indicating that negotiations may be underway or that the attackers are preparing to release stolen data. Ransomware groups frequently exploit exposed remote services, compromised credentials, or unpatched vulnerabilities in industrial IT environments to gain initial access.

In similar SAFEPAY incidents involving manufacturing firms, leaked data has included internal CAD files, invoices, employee records, operational documentation, and email archives. Even without immediate data publication, the mere confirmation of unauthorized access introduces serious operational and legal risks.

Scope and Composition of the Allegedly Exposed Data

Although SAFEPAY has not yet published samples from the Estrumar Metalworks data breach, the type of data typically held by metal fabrication firms suggests potential exposure of the following categories:

• Engineering drawings and CAD design files
• Project specifications and structural calculations
• Client contracts and bid documentation
• Supplier and subcontractor agreements
• Internal financial records and invoices
• Employee records and internal communications
• Operational planning and production schedules

The loss of such data can undermine competitive positioning, disrupt ongoing projects, and expose confidential relationships with public and private sector clients.

Risks to Business Operations and Supply Chains

The Estrumar Metalworks data breach poses multiple operational risks beyond immediate system disruption. Manufacturing and engineering firms often function as nodes within larger construction and infrastructure ecosystems. Any compromise can cascade outward.

Potential risks include:

• Project delays caused by loss of access to design and production systems
• Intellectual property exposure affecting proprietary fabrication methods
• Contractual disputes if client data is leaked or manipulated
• Supplier trust erosion if pricing or procurement data is exposed
• Increased likelihood of follow-on phishing attacks using stolen emails

Ransomware incidents in industrial environments can also force temporary shutdowns of production systems, leading to missed deadlines and financial penalties.

Threat Actor Behavior and SAFEPAY Tactics

SAFEPAY is a ransomware group that has been actively targeting manufacturing, construction, healthcare, and professional services firms. The group typically publishes victim listings with countdown timers, applying pressure through the threat of public data disclosure.

Observed SAFEPAY behaviors include:

• Exfiltration of large volumes of internal documents prior to encryption
• Selective leaking of sensitive files to validate claims
• Targeting organizations with limited incident response maturity
• Use of double extortion rather than pure encryption-only attacks

The inclusion of Estrumar Metalworks on the SAFEPAY portal suggests the attackers believe the stolen data has extortion value, either due to its sensitivity or its relevance to business operations.

Possible Initial Access Vectors

While the exact intrusion method has not been confirmed, ransomware attacks against manufacturing firms frequently originate from a limited set of entry points:

• Compromised VPN or remote desktop services
• Stolen credentials obtained from earlier breaches
• Phishing emails leading to malware deployment
• Unpatched server vulnerabilities in legacy systems
• Third party vendor access with insufficient segmentation

Industrial environments often lag behind in patch cycles due to uptime requirements, making them attractive targets for ransomware operators.

Regulatory and Legal Implications in Spain

If the Estrumar Metalworks data breach involves personal data of employees, contractors, or clients, the company may be subject to obligations under the General Data Protection Regulation (GDPR). Spanish data protection authorities require timely notification when breaches pose a risk to individual rights and freedoms.

Potential regulatory consequences include:

• Mandatory disclosure to affected individuals
• Reporting obligations to the Spanish Data Protection Agency
• Administrative fines if negligence is established
• Increased scrutiny of cybersecurity practices

For engineering firms working on public infrastructure projects, contractual compliance requirements may also be triggered following a confirmed breach.

Mitigation Steps for Estrumar Metalworks

To contain and recover from the Estrumar Metalworks data breach, several immediate and long term actions are recommended:

• Isolate affected systems to prevent further data exfiltration
• Engage forensic specialists to determine intrusion scope and timeline
• Reset credentials across all internal and remote access systems
• Audit access logs for unauthorized lateral movement
• Notify relevant partners and clients if shared data is affected
• Strengthen network segmentation between operational and administrative systems

Recommended Actions for Employees and Partners

Individuals associated with Estrumar Metalworks should remain vigilant for secondary attacks following the breach:

• Be cautious of emails referencing invoices, projects, or document reviews
• Verify unusual requests through secondary communication channels
• Monitor for signs of identity misuse or unauthorized account access
• Use reputable security tools such as Malwarebytes to scan devices for malware or credential stealing threats

Broader Implications for the Manufacturing Sector

The Estrumar Metalworks data breach reflects a broader trend of ransomware groups targeting industrial and engineering firms across Europe. These organizations often store high value technical data while operating with limited cybersecurity visibility compared to financial or technology firms.

As ransomware groups continue to professionalize, manufacturing companies must prioritize cybersecurity investment, regular risk assessments, and employee awareness. The continued targeting of metalworks and fabrication firms highlights the need for sector wide improvements in resilience and incident preparedness.

For ongoing coverage of significant data breaches and developments across the cybersecurity landscape, further analysis will follow as new information becomes available.