Attack alert: qilin targets Victoria Benelux - BE
Introduction
On December 20, 2025, Victoria Benelux, a century-old Belgian insurer managing €2.5 billion in assets, became the target of the Qilin ransomware group. This cyberattack against a company with 1,000 to 5,000 employees exposed sensitive personal data, customer contracts, and critical financial information. Classified as SIGNAL level by our XC-Classify protocol, this breach occurred within a strict regulatory context for the insurance sector in Belgium, subject to the GDPR and the DORA directive. The incident illustrates the persistent vulnerability of financial institutions to sophisticated ransomware threats, despite Victoria Benelux's more than a century of existence, founded in 1923.
This attack reflects a worrying trend: cybercriminal groups are primarily targeting financial and insurance institutions due to their wealth of sensitive data and their high payment capacity. The compromise of an insurer of this size raises critical questions about the protection of the personal information of thousands of Belgian customers and the sector's resilience to modern cyber threats.
Analyse détaillée
Analysis of the certified data reveals significant exposure of Victoria Benelux's digital assets. The extracted metadata suggests a targeted intrusion specifically aimed at contract management and financial data systems, the cornerstones of the insurance business. This compromise occurred at the end of the year, a traditionally sensitive period for accounting closing operations and insurance policy renewals.
Qilin, also known as Agenda, operates according to a particularly formidable Ransomware-as-a-Service (RaaS) model. This cybercriminal collective rents its malicious infrastructure to affiliates, thus multiplying its capacity to cause harm on a global scale. Active for several years, the group specializes in attacks against medium-sized to large organizations, favoring high-value sectors such as finance, insurance, and healthcare.
Qilin's modus operandi relies on a double extortion tactic: encrypting critical data and threatening to publish the exfiltrated information. This approach maximizes pressure on victims, who are forced to negotiate not only to regain access to their systems but also to avoid the public exposure of sensitive data. Attackers typically exploit unpatched vulnerabilities, compromised VPN connections, or targeted phishing campaigns to gain initial access to victims' networks.
Qilin's previous victims include several financial sector companies and critical service providers in Europe and North America. The group is distinguished by its ability to maintain prolonged persistence within compromised networks, sometimes for several weeks before encryption is triggered. This tactical patience allows attackers to identify and exfiltrate the most sensitive data before revealing its presence.
Qilin's RaaS model is transforming cybercrime into a structured industry. Affiliates benefit from technical support, negotiation tools, and a cryptocurrency payment infrastructure in exchange for a commission on collected ransoms. This professionalization explains the increasing sophistication of attacks and their alarming frequency.
Victoria Benelux is a major player in the Belgian insurance landscape. Founded in 1923, the company has spanned a century of history, developing recognized expertise in risk management and asset protection. With an estimated workforce of between 1,000 and 5,000 employees, the organization operates throughout Belgium, offering a full range of insurance products to individuals and businesses.
Victoria Benelux's €2.5 billion turnover testifies to its significant economic weight in the Belgian insurance sector. This strategic position comes with considerable responsibility: managing sensitive personal data for tens of thousands of clients, including medical, asset, and financial information. The very nature of the insurance business necessitates the massive collection and processing of confidential information, making the company a prime target for cybercriminals.
Victoria Benelux's location in Belgium places it at the heart of a highly regulated European financial ecosystem. The company operates in an environment where trust is the foundation of the client relationship. The compromise of its IT systems directly threatens this trust, with potential repercussions for its reputation and competitive position. The insurer's clients legitimately expect optimal protection of their data, in accordance with the highest industry standards.
The impact of this cyberattack extends beyond the purely technical. Victoria Benelux manages life, auto, home, and liability insurance contracts—all areas where the confidentiality of information is of paramount importance. The breach could affect the company's ability to meet its contractual obligations, process ongoing claims, and maintain business continuity. Victoria Benelux's partners, brokers, and reinsurers are closely monitoring the situation, aware of the risk of contagion in an interconnected sector.
Technical analysis of this breach reveals an exposure classified at the SIGNAL level by our XC-Classify system. This level indicates early detection of the incident, prior to widespread data leaks on leak platforms. The compromised information primarily concerns sensitive personal data, customer contracts, and critical financial information, according to the evidence available in our certified database.
Review of the potentially exfiltrated files suggests an intrusion targeting Victoria Benelux's document management systems and customer databases. The attackers likely identified and extracted the most sensitive information before deploying their encryption payload. This methodology aligns with qilin's usual tactics, techniques, and procedures (TTPs), which favor a surgical approach over indiscriminate mass attacks.
The incident timeline remains partially documented. The discovery of the compromise on December 20, 2025, does not necessarily mean that the initial intrusion occurred during that period. Available data suggests a possible earlier presence of the attackers within Victoria Benelux's network, a hypothesis consistent with qilin's modus operandi. The group typically maintains a discreet presence for several days, or even weeks, before triggering encryption and revealing its presence.
The risks to the exposed data revolve around several factors. First, the direct exploitation of personal information for fraud or identity theft. Second, the use of financial information for malicious operations targeting Victoria Benelux customers. Third, the resale of the data on dark web marketplaces, fueling a global criminal ecosystem. The inherent sensitivity of insurance information, sometimes including medical or legal data, significantly amplifies these risks.
Our XC-Classify protocol assigns a score based on a multi-criteria threat analysis. The SIGNAL level reflects a situation where data is reported as compromised, but its public dissemination remains limited or unconfirmed. This classification allows the organizations concerned and potentially affected individuals to anticipate risks and deploy appropriate protective measures before a threat escalates.
The insurance sector in Belgium faces increasing cyber risks, amplified by the accelerated digitization of processes and the concentration of sensitive data. This attack against Victoria Benelux exposes the structural vulnerabilities of a sector where trust is the primary intangible asset. Belgian insurers manage considerable volumes of personal, medical, and financial information, making them prime targets for ransomware groups.
Questions Fréquentes
When did the attack by qilin on Victoria Benelux occur?
The attack occurred on December 20, 2025 and was claimed by qilin. The incident can be tracked directly on the dedicated alert page for Victoria Benelux.
Who is the victim of qilin?
The victim is Victoria Benelux and operates in the insurance sector. The company is located in Belgium. Visit Victoria Benelux's official website. To learn more about the qilin threat actor and their other attacks, visit their dedicated page.
What is the XC protocol level for the attack on Victoria Benelux?
The XC protocol level is currently at XC SIGNAL status, meaning the attack on Victoria Benelux has been claimed by qilin but has not yet been confirmed by our community. Follow the progress of this alert.
Conclusion
The regulations applicable in Belgium impose strict obligations on players in the insurance sector. The GDPR requires notification to data protection authorities within 72 hours of discovering a personal data breach. Victoria Benelux must also inform the Belgian Data Protection Authority (DPA) and, potentially, the individuals concerned if the risk to their rights and freedoms is high. Failure to comply with these obligations exposes the company to administrative penalties of up to 4% of its global annual turnover.