Tokyo Hoso Kogyo Corporation

On May 7, 2026, Qilin ransomware operators compromised Tokyo Hoso Kogyo Corporation's corporate systems, deploying their signature double-extortion attack model. They encrypted 30GB of confidential company data while simultaneously exfiltrating it to attacker-controlled servers. The breach affected the company's core business operations across construction and civil engineering projects throughout Japan.

30GB of confidential corporate information from a construction and civil engineering firm. This includes project specifications, engineering drawings, contract details, bid proposals, client communications, financial records, and internal operational data. For a construction company, this represents the intellectual property and competitive intelligence accumulated over years of infrastructure projects.

Engineering firms hold data that extends beyond their own operations. They maintain building specifications, infrastructure blueprints, safety assessments, and construction timelines for public and private projects. Government contracts, municipal infrastructure plans, and commercial development projects all leave digital artifacts in corporate systems. The 30GB didn't just expose Tokyo Hoso Kogyo—it potentially exposed their clients and active construction sites.

Tokyo Hoso Kogyo faces immediate operational disruption. Encrypted systems halt active projects, delay contract deliverables, and prevent communication with construction sites. The company must continue operations while key systems remain inaccessible or suspect. Every employee, contractor, and subcontractor connected to those 30GB of corporate systems faces exposure of their professional communications and project involvement.

Client damage extends beyond data exposure. Government agencies and private clients who contracted with Tokyo Hoso Kogyo for infrastructure projects now face potential disclosure of their building specifications, security assessments, and project timelines. Competitors gain access to bid strategies, pricing models, and technical approaches. The double-extortion model ensures that even if Tokyo Hoso Kogyo pays to decrypt their systems, the stolen data remains in attacker hands for future leverage or sale.

Japanese corporations operating in construction and civil engineering maintain security standards required for government contract bidding. Tokyo Hoso Kogyo implemented access controls, network segmentation, and backup systems designed to support business continuity and protect confidential project data from unauthorized access.

They believed their corporate systems were isolated from external threats through perimeter defenses and employee security training. Construction firms handle sensitive infrastructure projects that require clearance and vetting. The security model focused on preventing unauthorized access from outside actors while maintaining productivity for internal users across office and construction site locations.

Corporate file shares in construction companies accumulate project data over decades. Every completed project leaves behind specifications, correspondence, change orders, and final deliverables. Over time, these repositories contain not just current work but historical projects, inactive client relationships, and legacy infrastructure documentation that no one actively maintains.

Qilin extracted 30GB of "confidential company information." What projects did that include? Which clients? How many years of infrastructure blueprints and building specifications? Tokyo Hoso Kogyo discovered the contents of their own corporate systems through a ransomware group's extortion demand. The gap between what the organization believed was in their systems and what attackers actually exfiltrated represents the inventory failure.

Qilin operates on a double-extortion timeline. Tokyo Hoso Kogyo received an encryption notice and an exfiltration warning simultaneously. Pay the ransom to decrypt systems and prevent data publication. Refuse, and the 30GB goes public on leak sites where competitors, journalists, and threat actors can download infrastructure project details.

The company must now notify clients whose project data was compromised, inform employees whose communications were exfiltrated, and report the breach to Japanese data protection authorities. Every government contract in that 30GB requires disclosure to the contracting agency. Every private client deserves notification that their building specifications may be exposed. The notification obligations compound faster than the organization can inventory what was actually taken.