Romania Pipeline Firm Hit With 1TB Data Breach
Romania’s national oil pipeline operator Conpet said a cyberattack hit its corporate IT infrastructure on February 3, 2026, while the Qilin ransomware group alleged it stole nearly 1TB of data and published sample files to support the claim.
What Happened in the Breach
Conpet disclosed that a cyber incident affected its business IT environment and left its public website inaccessible, while oil transport operations continued normally.
Conpet said its operational technology systems, including SCADA and telecommunications, were not affected, and it said contractual obligations could still be met.
In the days after Conpet’s disclosure, the Qilin ransomware group claimed responsibility and alleged theft of nearly 1TB of data, publishing images that reporting described as internal documents, financial records, and passport scans.
Timeline: From First Access To Latest Update
Conpet has not disclosed the earliest intrusion date, so the timeline below starts with the first confirmed company detection and runs through the latest public updates in mid-February 2026.
- February 3, 2026: Conpet said a cyberattack affected its business IT infrastructure.
- February 4, 2026: Romanian media reported Conpet’s statement that SCADA and telecom systems were not affected, the website was down, and a criminal complaint was filed with DIICOT.
- February 5, 2026: Security reporting said Qilin listed Conpet on its leak site and claimed theft of nearly 1TB, alongside a small sample of files.
- February 6, 2026: The Record reported Conpet was working with national cybersecurity authorities and had filed a criminal complaint, while Qilin continued to allege data theft.
- February 12, 2026: Conpet warned that preliminary checks found a risk that personal data had been exfiltrated, and the company said the volume of affected data and the number of impacted people were not yet known.
- February 13, 2026: Follow-on reporting summarized Conpet’s confirmation of data theft and repeated Qilin’s “nearly 1TB” allegation while the investigation continued.
What Data Or Systems Were Affected
Conpet said the incident affected corporate IT infrastructure, not the operational systems used to run the national oil transport network.
Conpet later warned of a risk that certain personal data managed by the company may have been exfiltrated, and it said technical analysis was still underway.
Reporting on the Qilin leak claim described sample files that appeared to include confidential internal documents, financial information, and scans of passports, along with personal data fields such as names, postal addresses, personal identification numbers, and bank account numbers.
Who Was Responsible (Confirmed Vs Alleged)
Conpet has not publicly named the attacker, and no public law enforcement attribution has been reported in the initial disclosures.
Qilin claimed responsibility, listed Conpet on a leak site, and asserted it stole nearly 1TB of data, releasing a limited sample to back the allegation.
How The Attack Worked
Conpet has not disclosed the entry point, the malware used, or whether systems were encrypted, and the company’s public statements have focused on business IT disruption and investigation status.
Public reporting ties the incident to a ransomware-style extortion pattern because Qilin is described as a ransomware-as-a-service operation and because the group posted alleged stolen documents as pressure.
Conpet’s public warning about possible exfiltration and fraud risk suggests investigators were assessing data access in addition to service disruption, but the company has said it cannot yet quantify the scope.
Impact and Risks for Customers
Conpet said oil transport operations continued normally, which limited immediate operational disruption for downstream fuel logistics.
The bigger near-term risk sits with data misuse if the exfiltration concern is confirmed, particularly fraud attempts that use stolen details to create believable pretexts. Conpet warned people to treat urgent requests over email, phone, or other channels with high caution while the investigation continues.
Company Response And Customer Remediation
Conpet said internal specialists took immediate steps to reduce the impact and restore affected infrastructure, while coordinating with national cybersecurity authorities.
Conpet also filed a criminal complaint with DIICOT, according to company statements carried by Romanian and industry press.
As of the latest public updates, Conpet has not published a final determination on the amount of data affected or a definitive list of impacted individuals, and it has framed its warnings as precautionary during ongoing technical analysis.
Government, Law Enforcement, And Regulator Actions
Conpet said it notified DIICOT and filed a criminal complaint related to the incident.
Conpet has also said it is working with Romania’s National Cyber Security Directorate, which Romanian reporting refers to as DNSC, during the investigation and impact assessment.
No public fines, enforcement actions, or arrests tied to this incident have been reported in the initial disclosures and follow-on coverage.
Financial, Legal, And Business Impact
Conpet has not disclosed ransom demands, negotiations, or direct financial losses, and it has said the incident did not affect operational activity or its ability to meet contractual obligations.
The immediate business impact described publicly includes disruption to corporate IT services and the temporary loss of public web access, alongside incident response and investigation costs that typically follow such events.
Legal exposure and follow-on costs may depend on the final determination of what personal data was accessed and whether any confirmed leak leads to fraud, claims, or regulatory scrutiny, but Conpet has said the scope is still under review.
How Bright Defense Can Reduce Risk From Incidents Like This
Ransomware crews often start in the business IT side, then use stolen credentials, misconfigurations, or unpatched weaknesses to widen access, so regular testing and continuous controls matter even when operational systems stay isolated. Bright Defense provides penetration testing to surface exploitable paths in networks, cloud environments, and applications before attackers find them.
Bright Defense also offers continuous cybersecurity compliance programs that keep security controls active and monitored over time, which supports disciplined patching, access control, and evidence-ready processes across frameworks such as SOC 2, HIPAA, and CMMC.
What Remains Unclear About the Breach
The earliest intrusion date remains unknown because Conpet has not disclosed initial access timing, dwell time, or the method used to enter the corporate environment.
The “nearly 1TB” figure remains an attacker claim, and Conpet has said it cannot yet determine the amount of data stolen during the ongoing investigation.
The number of affected individuals and the complete data categories involved remain unconfirmed publicly, since Conpet has framed its current view as preliminary risk assessment while technical review continues.
Why This Incident Matters
The incident shows how corporate IT disruption and alleged data theft can hit critical infrastructure operators even when operational control systems remain functional, which still creates national and commercial risk through data exposure and extortion pressure.
It also fits a recent pattern of ransomware activity affecting Romanian public and infrastructure-linked entities, including widely reported disruptions in other sectors, which keeps pressure on national response capacity and on basic cyber hygiene across essential services.
Sources
- Digi24 — CONPET S.A., ţinta unui atac cibernetic. Societatea se ocupă de transportul ţiţeiului şi gazolinei (February 4, 2026)
https://www.digi24.ro/stiri/actualitate/conpet-s-a-tinta-unui-atac-cibernetic-societatea-se-ocupa-de-transportul-titeiului-si-gazolinei-3616379 - Financial Intelligence — Atac cibernetic la Conpet; infrastructura IT de business a fost afectată; tehnologiile operaționale nu au fost impactate (February 4, 2026)
https://financialintelligence.ro/atac-cibernetic-la-conpet-infrastructura-it-de-business-a-fost-afectata-tehnologiile-operationale-nu-au-fost-impactate/ - BleepingComputer — Romanian oil pipeline operator Conpet discloses cyberattack, Qilin ransomware (February 5, 2026)
https://www.bleepingcomputer.com/news/security/romanian-oil-pipeline-operator-conpet-discloses-cyberattack-qilin-ransomware/ - The Record — Romania’s oil pipeline operator confirms cyberattack as hackers claim data theft (February 6, 2026)
https://therecord.media/romania-conpet-oil-pipeline-ransomware-attack - Industrial Cyber — Romania’s oil pipeline operator Conpet targeted in cyberattack, as Qilin alleges 1TB data breach (February 6, 2026)
https://industrialcyber.co/mining-oil-gas/romanias-oil-pipeline-operator-conpet-targeted-in-cyberattack-as-qilin-alleges-1tb-data-breach/ - World Pipelines — Romanian oil pipeline operator Conpet discloses cyberattack (February 6, 2026)
https://www.worldpipelines.com/business-news/06022026/romanian-oil-pipeline-operator-conpet-discloses-cyberattack/ - BURSA.RO — Date personale ale clienţilor Conpet, posibil compromise în urma unui atac cibernetic (February 12, 2026)
https://www.bursa.ro/date-personale-ale-clientilor-conpet-posibil-compromise-in-urma-unui-atac-cibernetic-63773853 - BleepingComputer — Romania’s oil pipeline operator Conpet confirms data stolen in attack (February 12, 2026)
https://www.bleepingcomputer.com/news/security/romanias-oil-pipeline-operator-conpet-confirms-data-stolen-in-attack/ - SC Media — Conpet hit by cyberattack, Qilin ransomware claims responsibility (February 6, 2026)
https://www.scworld.com/brief/conpet-hit-by-cyberattack-qilin-ransomware-claims-responsibility - teiss — Qilin ransomware gang claims theft of 1TB of data from Romania’s oil pipeline operator Conpet (February 13, 2026)
https://www.teiss.co.uk/news/qilin-ransomware-gang-claims-theft-of-1tb-of-data-from-romanias-oil-pipeline-operator-conpet-17089
Get In Touch
