In July 2021, a threat actor using the name “ZeroX” began advertising 1 terabyte of data stolen from Saudi Arabian Oil Company (Saudi Aramco) on a darknet forum, demanding $50 million in Monero cryptocurrency for the full dataset or offering partial files for smaller payments. Saudi Aramco confirmed the data leak, stating that it had “recently become aware of the indirect release of a limited amount of company data which was held by third-party contractors,” while asserting the release was not the result of a breach of Aramco’s own systems and had no operational impact.

The leaked data was extensive and highly sensitive. It included over 14,000 of Aramco’s roughly 66,000 employee profiles dating back to 1993, containing full names, photographs, passport copies, email addresses, phone numbers, Saudi residence permit (Iqama card) numbers, job titles, employee ID numbers, and family information. Additional leaked materials included customer invoices, internal project specifications, network diagrams, and other operational documents. ZeroX posted samples of the data as proof of legitimacy.

Aramco did not identify which contractor had been compromised or how the data had been exfiltrated. The ransom demand included a countdown timer set to $5 million and another to $50 million, creating pressure to respond quickly. There is no public indication that Aramco paid any ransom. The specific ransomware group or threat actor affiliation of ZeroX was not publicly attributed.

The breach demonstrated the acute risk posed by contractor and vendor access to core operational and HR data at critical infrastructure organizations. Saudi Aramco, as the world’s largest oil producer by revenue and one of the world’s most valuable companies, represents an extreme-consequence target for supply chain attacks. The fact that 1TB of detailed employee and operational data resided with a third-party contractor — and was exfiltrated from that contractor rather than Aramco directly — underscores how indirect paths can completely bypass a primary organization’s investment in its own network security.