The Rhysida ransomware group has published nearly two terabytes of internal data stolen from Gemini Group, a Michigan-based manufacturer that supplies tooling and materials to major automotive companies. The leak follows a ransom deadline that expired in late October and exposes sensitive records belonging to both employees and clients.
Rhysida listed Gemini Group on its leak site and released approximately 1.9 terabytes of data containing more than 1.7 million files. The stolen material reportedly includes payroll records, insurance documents, customer databases, internal communications, and production reports. Security researchers confirmed that the dataset contains financial details, employee personal information, and company documents that could reveal internal operations and pricing structures.
Gemini Group operates 18 facilities across the United States and Mexico and employs several thousand workers. The company confirmed that it experienced a cybersecurity incident but has not provided specifics about how attackers gained access, whether ransomware was deployed, or whether any ransom demand was paid. The firm said that it is working with cybersecurity experts and law enforcement to determine the scope of the breach.
The data leak, published on October 31, raises significant privacy and business concerns. Files circulating online appear to contain employee names, job titles, hire dates, birthdates, addresses, Social Security numbers, salary information, and health insurance details. Some documents also reference purchase orders and supplier communications that could expose commercial strategies and relationships.
Cybersecurity analysts say the exposure of such detailed personal and corporate data could have long-term consequences. Personal identifiers such as Social Security numbers cannot be changed easily, creating an ongoing risk of identity theft and financial fraud. At the same time, the release of commercial data could allow competitors to study supply-chain dynamics or pricing, potentially harming Gemini Group’s business relationships.
Rhysida targets industrial supply chains
Rhysida, a ransomware operation first observed in 2023, has been linked to numerous attacks on manufacturing, healthcare, and educational institutions. The group typically gains access through compromised credentials or vulnerable remote access systems before stealing data and threatening public release. Experts believe that Rhysida focuses on organisations with critical operations, where downtime could pressure victims into paying ransoms.
In this case, the attackers appear to have prioritised data theft over system disruption. The leak of large volumes of documentation suggests an organised exfiltration process designed to inflict reputational and financial damage. The group’s announcement described Gemini Group as part of a campaign targeting what it called “strategic industrial operators,” a claim that aligns with recent incidents involving other North American manufacturers.
Security analysts note that manufacturing and industrial supply networks have become key targets because of their interconnected systems and reliance on third-party vendors. A breach in one supplier can expose sensitive information across multiple companies, amplifying the scale of each attack. In sectors like automotive production, where digital supply chain coordination is essential, the risks extend beyond a single firm.
Gemini Group’s breach illustrates how attackers increasingly view suppliers as gateways to larger networks. Industrial vendors often store client documentation, design blueprints, and operational data that are valuable to both criminal and state-aligned threat actors. Experts warn that these networks must be treated as critical infrastructure requiring the same cybersecurity standards as major manufacturers.
The company has not publicly commented on the authenticity of the leaked files, but cybersecurity forums that reviewed samples report that the data appears legitimate. Gemini Group continues to work with external investigators, while affected employees are being advised to monitor credit and financial accounts and watch for phishing attempts that use stolen information.
The incident highlights the growing overlap between data breaches and ransomware campaigns in industrial sectors. Even when systems remain operational, the theft of confidential information can be damaging enough to disrupt business continuity. For companies like Gemini Group, the challenge now lies in securing digital operations across a wide vendor network while reassuring partners that data integrity can be restored.