exclusive The European Space Agency on Wednesday confirmed yet another massive security breach, and told The Register that the data thieves responsible will be subject to a criminal investigation. And this could be a biggie.

Earlier in the week, Scattered Lapsus$ Hunters told us that they gained initial access to ESA's servers back in September by exploiting a public CVE, and stole 500 GB of very sensitive data. This, we're told, includes operational procedures, spacecraft and mission details, subsystems documentation, and proprietary contractor data from ESA partners including SpaceX, Airbus Group, and Thales Alenia Space, among others. 

And, according to the crims, the security hole remains open, giving them continued access to the space agency's live systems. 

"ESA is in the process of informing the judicial authorities having jurisdiction over this cyber incident to initiate a criminal inquiry," an ESA spokesperson said via email. The agency declined to answer The Register's specific questions about the intruders' claims.

This comes about a week after ESA copped to a December security incident that saw a crim list more than 200 GB of ESA data for sale on the still-not-dead BreachForums.

According to a Shiny Lapsus$ Hunters spokesperson and sample files seen by The Register, the stolen goods appear to include both internal files and documents originating from contractors. This spans operational procedures, contingency plans, system capabilities and security protocols, spacecraft tolerances and failure modes, Earth Observation (EO) satellite constellation details, and other documents related to managing satellite orientation and position.

Contractor data allegedly exfiltrated in the breach belongs to SpaceX, Airbus Group, Thales Alenia Space, OHB System AG, EUMETSAT, Sener, Teledyne, Leonardo, Deimos Imaging, Sitael, SkyLabs, ISISPACE, and others.

Plus, the stolen files allegedly include sensitive information about various space programs and ESA missions such as Greece's national space program, ESA's Next Generation Gravity Mission, its FORUM (Far-infrared Outgoing Radiation Understanding and Monitoring) Earth Explorer Mission, and TRUTHS (Traceable Radiometry Underpinning Terrestrial- and Helio-Studies).

According to the extortionist crew, ESA has known about the breach for at least a week and also downloaded the sample data.

This is not ESA's first – or even second or third – security snafu. The space agency's incidents have been piling up since at least 2011.

• European Space Agency hit again as cybercrims claim 200 GB data up for sale
• Zendesk users targeted as Scattered Lapsus$ Hunters spin up fake support sites
• European Space Agency plays down hack impact
• Congrats, cybercrims: You just fell into a honeypot

In addition to the post-Christmas data dump last month, attackers hit its online store was in 2024 shortly before the holiday, with miscreants inserting a fake payment page to nab customer info belonging to users shopping for space-themed Christmas presents. 

At the time, ESA said that it's not in charge of its own online store. 

Additionally, a trio of ESA domains were compromised in 2015 via an SQL vulnerability, resulting in the theft and leak of information belonging to thousands of subscribers and some ESA staff.

And in 2011, someone broke into ESA's systems and then published administrator, content management, FTP login credentials, and Apache server config files online – although the agency said this didn't affect its internal networks. ®