Back to Blog
high severity June 22, 2026 · scope unconfirmed

Kochs GmbH Listed by aurora Ransomware Group

[manufacturer] *** — a family-owned German manufacturer of windows, doors, and aluminium façade systems headquartered in Herzogenrath, Nordrhein-Westfalen, with ~240 employees across Germany, the Netherlands, and Hungary. The exposed material includes: 22 GB of payroll database backups (7 MSSQL .bak files, 2016–2023) — every employee's salary, bank IBAN, tax class, social insurance number, pension contributions, and wage garnishments. 2.3 GB of DATEV payroll records (through May 2026) — individual named salary documents, garnishment data, company car records for all three entities. 7 Active D

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed June 22, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On June 22, 2026, German manufacturer Kochs GmbH appeared on the leak site of the aurora ransomware group after attackers exfiltrated more than 24 GB of internal files, including detailed payroll records containing employees’ salaries, bank IBANs, social insurance numbers, and tax data.

Confirmed Facts from Reporting

Public reporting indicates that Kochs GmbH, a family-owned company headquartered in Herzogenrath, Nordrhein-Westfalen, produces windows, doors, and aluminium façade systems. The firm employs roughly 240 people across operations in Germany, the Netherlands, and Hungary.

22 GB of payroll database backups in the form of seven MSSQL .bak files covering 2016–2023 were taken. These contain every employee’s salary details, bank IBAN, tax class, social insurance number, pension contributions, and wage garnishments. An additional 2.3 GB of DATEV payroll records through May 2026 include individually named salary documents, garnishment data, and company car records for all three legal entities. The aurora group posted the material on its dark-web leak site, accessible via the onion address hosted on ransomware.live.

Why This Matters for You and Your Family

When a company’s payroll files leave its control, the information can be used to commit identity theft, file fraudulent tax returns, or open accounts in your name. If you or a family member worked at Kochs GmbH or any vendor that shared payroll data with them, your bank details, social insurance number, and exact salary history are now in the hands of criminals. Even if you were not directly employed there, spouses and adult children listed as emergency contacts or beneficiaries can also be exposed through these records.

Payroll data from 2016 to 2023 creates a long historical window that fraudsters prize. A single leaked IBAN combined with a social insurance number is often enough to bypass basic bank security checks. For ordinary families this translates into months or years of cleaning up credit reports, disputing fraudulent charges, and worrying about tax authorities receiving false filings under your name.

The Doxxing and Identity-Chain Implications

Stolen payroll files rarely stay isolated. Attackers cross-reference names, addresses, dates of birth, and bank details with information from earlier breaches. This creates an identity chain that links your work email to personal accounts, phone numbers, and even children’s gaming usernames if the same password or recovery details were reused. Once the chain exists, opportunistic criminals can move from financial fraud to full doxxing—publishing home addresses, children’s names, and daily routines.

Credential leaks like this one cascade into account takeovers on gaming platforms, social media, and email. A child’s Roblox or Minecraft account tied to a parent’s reused password can quickly become part of the same chain, exposing the entire household to harassment or further extortion.

Aurora Ransomware Group’s Track Record

Public reporting attributes the attack to the aurora ransomware group. The group emerged in late 2024 and has since listed dozens of victims, primarily mid-sized European manufacturers and service companies. Its typical playbook begins with initial access through phishing or exploited remote desktop credentials, followed by deployment of ransomware to encrypt systems. After exfiltration, aurora demands payment and, if unmet, publishes samples or full datasets on its leak site to pressure victims. The group’s extortion style combines data leaks with direct threats to notify customers, partners, and regulators.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity so you can see exactly what chains exist from this breach.
  • Rotate the password used at Kochs GmbH anywhere it is reused, and switch on 2FA through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak that touches your data is caught in hours, not months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts that often chain back to the same addresses and passwords.
  • Let the remediation specialists handle takedown requests across data brokers and leak sites for you while you focus on securing accounts.

The incident shows how quickly payroll data from a single manufacturer can threaten the financial and personal safety of ordinary families. Acting promptly on the exposed information gives you the best chance of limiting damage before criminals stitch it into larger identity chains. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts—practical protection when leaks like aurora’s appear without warning.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.