Araneta Group Confirms Cyberattack; $5 Million Ransom Demand Reported
The Araneta Group has confirmed a cybersecurity incident affecting multiple business units, resulting in operational disruptions and potential data exfiltration. The cyberattack was first detected on November 28, 2025. In its December 1 public notice, Araneta Group named Araneta Center Inc., Ticketnet Inc., and PPI (Dairy Queen) Holdings Inc. as affected entities and stated that containment procedures and forensic reviews had begun immediately.
At the time of the statement, the identity of the attackers was not publicly known. Reports from concerned parties prompted Deep Web Konek (DWK) to investigate.
On December 6, the DWK Cybercrime Investigation Division confirmed that a file was found and served as a proof-of-compromise indicator. While the file contained no malware binaries it contained several urls that was used to mapped out for further checking. This led to the discovery of the negotiation portal and provided further insight into the ransom demand, the type of data targeted, and the communication methods used by the threat actors.
https://iili.io/fTsMcZX.png
https://iili.io/fTsM0nn.png
The attackers claimed that over 1.5 terabytes of sensitive corporate data were exfiltrated prior to network encryption. According to the negotiation portal, the breach included all corporate databases, containing sensitive and confidential information for the Araneta Group. This includes the full personal and business details of clients, vendors, and employees, such as passport information, credit card details, health records, financial documents for the entire corporate group, and other proprietary data.
The affected datasets reportedly also include retail records, hospitality files, ticketing systems, hotel documentation, vendor data, and internal financial archives. The portal indicated that multiple entities under the Araneta Group network were impacted, including ACI Inc., PPI Holdings Inc., Uniprom Inc., Progressive Development Corporation, and Araneta Hotels Inc.
Araneta Group has notified the National Privacy Commission (NPC) and the Department of Trade and Industry (DTI) in compliance with Philippine data protection regulations. Meanwhile, there is no evidence yet of the stolen data being publicly released, though the threat of a leak remains.
Araneta Group encourages affected customers to maintain strong digital security practices, such as keeping passwords secure and changing them regularly. The incident is now considered one of the massive corporate breaches in the Philippines in 2025, both because of the volume of potentially compromised information and the public visibility of the ransom interface.
