Everest ransomware gang claims breach of BMW

Everest cybercrime group reports the breach of Bayerische Motoren Werke AG (BMW). The 109-year-old car and motorsport manufacturer was listed on the ransomware group's dark leak blog on September 14, 2025.

The Everest ransomware group claims to have exfiltrated approximately 600,000 lines of sensitive internal documents from BMW. Researchers suspect that Everest's operatives gained initial access via a compromised Remote Desktop Protocol (RDP) endpoint within BMW's network perimeter, with weak or reused credentials likely enabling the attackers to move laterally, deploy custom PowerShell scripts, and harvest files from audit directories and communication archives.

Everest has not listed the exact volume of data it possesses, nor has it made a public ransom demand.

The post includes a countdown clock that expired on September 14th, with another countdown clock giving "just over 48 hours" and stating that a "Company representative should follow the instructions to contact us before time runs out".

BMW has not released an official statement confirming the breach or detailing negotiations.

Aras Nazarovas, Senior Information Security Researcher at Cybernews, advises caution, stating that "they mention the data is audit-related, which could mean lots of sensitive documents, but could also be a mistranslation, which is common for Everest". 

Update - as of 21st of Septmber 2025, BMW has confirmed the breach, apparently caused at one of its American third-party service providers. “There has been a data breach at a third-party service provider in the US. The incident relates to internal quality management documents,” a BMW spokesperson told Cyber Daily. “As a precaution, access to affected accounts has been blocked, and extensive security checks have been carried out. At this stage, there is no evidence of compromise within BMW infrastructure".