American pharmaceutical firm Inotiv is notifying thousands of people that they're personal information was stolen in an August 2025 ransomware attack.
Inotiv is an Indiana-based contract research organization specializing in drug development, discovery, and safety assessment, as well as live-animal research modeling. The company has about 2,000 employees and an annual revenue exceeding $500 million.
When it disclosed the incident, Inotiv said that the attack had disrupted business operations after some of its networks and systems (including databases and internal applications) were taken down.
Earlier this week, the company revealed in a filing with the U.S. Securities and Exchange Commission (SEC) that it has "restored availability and access" to impacted networks and systems and that it's now sending data breach notifications to 9,542 individuals whose data was stolen in the August ransomware attack.
"Our investigation determined that between approximately August 5-8, 2025, a threat actor gained unauthorized access to Inotiv's systems and may have acquired certain data," it says in letter samples filed with Maine's attorney general.
"Inotiv maintains certain data related to current and former employees of Inotiv and their family members, as well as certain data related to other individuals who have interacted with Inotiv or companies it has acquired."
Inotiv has not yet shared which types of data were stolen during the incident, nor has it attributed the attack to a specific cybercrime operation.
However, the Qilin ransomware group claimed responsibility for the breach in August, leaked data samples allegedly stolen from the company's compromised systems, and said they exfiltrated over 162,000 files totaling 176 GB.
Inotiv entry on Qilin's leak site (BleepingComputer)
An Inotiv spokesperson has not yet responded to BleepingComputer's request for comment regarding the validity of Qilin ransomware's claims.
... continue reading