We do not negotiate with crime
En la intersección entre la confianza institucional y la fragilidad digital, Empresas Públicas de Medellín enfrentó el viernes una brecha que no llegó por sus propias puertas, sino por las de un aliado menor. SOLATI S.A.S., contratista encargada de la facturación, fue el punto de entrada de una organización criminal internacional que extrajo datos de portafolio de dos grandes utilities colombianas y comenzó a divulgarlos públicamente. El ataque no tocó los sistemas centrales de EPM, pero reveló algo más duradero que cualquier fuga de datos: la cadena de suministro tecnológica es, con frecuencia, el eslabón más expuesto de las infraestructuras críticas.
- Criminales internacionales penetraron los sistemas de SOLATI S.A.S. con precisión quirúrgica, apuntando exclusivamente al servicio de reportes del CRM de facturación.
- Horas después del descubrimiento, los atacantes comenzaron a liberar públicamente la información extraída, convirtiendo la brecha en un hecho consumado y visible.
- EPM activó sus protocolos internos de gestión de riesgos y advirtió a la ciudadanía que no compartiera los datos filtrados ni usara canales no oficiales para consultas.
- SOLATI respondió con firmeza: rechazó cualquier negociación con los extorsionistas, presentó denuncias formales ante las autoridades y reforzó sus controles de seguridad digital.
- El incidente reaviva el fantasma del ataque BlackCat de diciembre de 2022, cuando EPM sufrió semanas de colapso operativo, y confirma que los contratistas siguen siendo la puerta trasera preferida de los grupos de ransomware.
El viernes 29 de mayo, EPM anunció que SOLATI S.A.S., una empresa colombiana de software contratada para gestionar procesos de facturación y relación con clientes, había sido víctima de un ataque perpetrado por una organización criminal internacional. La intrusión fue precisa: los atacantes no buscaron penetrar la infraestructura de EPM directamente, sino que encontraron camino a través de un servicio especializado de reportes conectado al CRM de cobranzas de SOLATI.
Ni EPM ni la Central Hidroeléctrica de Caldas, la otra entidad afectada, sufrieron compromisos directos en sus sistemas. Pero esa distinción técnica tuvo poco peso simbólico: en cuestión de horas, los criminales comenzaron a publicar fragmentos de lo robado en canales abiertos. Los datos expuestos eran de naturaleza analítica —información sobre portafolios de clientes y patrones de facturación— aunque su divulgación pública bastó para encender las alarmas. EPM activó sus protocolos de riesgo, mantuvo operativos sus sistemas centrales y pidió a la ciudadanía no difundir la información filtrada ni acudir a canales no verificados.
SOLATI adoptó una postura sin ambigüedades: declaró que no negocia con el crimen, rechazó cualquier intento de extorsión y presentó denuncias formales ante las autoridades. La compañía también anunció el fortalecimiento inmediato de sus controles de seguridad digital.
El episodio despertó memorias incómodas. En diciembre de 2022, el grupo BlackCat había golpeado a EPM con uno de los ciberataques más devastadores registrados contra una empresa pública colombiana, dejando servicios tecnológicos fuera de operación durante semanas. Este nuevo incidente, aunque menos destructivo en lo inmediato, confirmó una advertencia que los expertos en ciberseguridad repiten desde hace años: los contratistas y proveedores tecnológicos se han convertido en el eslabón más débil de las grandes organizaciones. Atacar directamente a un objetivo bien defendido es difícil; acceder a él a través de un socio con menor blindaje, cada vez más sencillo. Es un patrón que se replica en Colombia y en el mundo, y que esta brecha volvió a poner en el centro de la conversación.
On Friday, May 29th, Empresas Públicas de Medellín announced that one of its contractors had been breached. SOLATI S.A.S., a Colombian software company hired to manage billing and customer relationship processes, had been hit by what the company described as an attack from an international criminal organization. The breach was surgical in its targeting—aimed specifically at a specialized reporting service connected to the CRM system that handles collections.
What made this attack different from a direct assault on EPM itself was its indirectness. The attackers never penetrated EPM's own infrastructure. Instead, they found their way through a smaller, less fortified partner company. SOLATI confirmed that the unauthorized access was confined to that single billing service and that neither EPM nor the Central Hidroeléctrica de Caldas, the other affected utility, suffered direct system compromises. But the distinction offered little comfort. Within hours of the breach's discovery, the criminals began releasing portions of what they had stolen across public channels.
The data exposed was analytical in nature—information about customer portfolios and billing patterns—rather than personal identifying information. Still, the fact of the breach itself carried weight. EPM moved quickly to activate its internal risk management protocols and coordinate with SOLATI to assess the damage. The utility's core systems, applications, and platforms continued operating normally, the company insisted. But it also issued a warning to the public: do not share the leaked information circulating on social media. Use only official channels for any communication about accounts or payments.
SOLATI took a harder line. "We do not negotiate with crime," the company stated flatly in its response. It rejected any extortion attempts, denied that it would engage in illicit information sales, and said it had already filed formal complaints with the appropriate authorities. The company also announced it had activated additional digital security controls and begun strengthening its protective measures across the board.
The timing of this breach stirred uncomfortable memories. In December 2022, EPM had suffered one of the most severe cyberattacks ever recorded against a Colombian public company. The BlackCat ransomware group had compromised EPM's digital systems so thoroughly that multiple technological services went down for weeks. The utility was forced to operate under emergency contingency procedures. This new incident, while less directly damaging, pointed to a persistent vulnerability that experts have been warning about for years: the supply chain.
Cybersecurity analysts note that contractors and technology vendors have become among the weakest links in the security chains of large organizations. Attackers have learned that direct assaults on well-defended targets often fail, but access through allied companies with lighter security infrastructure can succeed. It is a pattern that has become increasingly common across Colombia. In recent years, state agencies, private companies, airlines, and financial systems have all reported waves of intrusion attempts, data thefts, and extortion campaigns tied to international ransomware groups. These operations typically work by stealing massive quantities of data—in EPM's 2022 case, several terabytes—and then using that information as leverage to demand payment.
SOLATI said it would continue working with authorities and keep the public informed as the investigation proceeded. EPM reiterated its message: verify any communication about billing or payments only through official channels. The breach had exposed not just data, but a structural weakness in how critical infrastructure protects itself.
Notable Quotes
The unauthorized access was limited exclusively to that service, and neither EPM nor CHEC suffered direct vulnerabilities in their computer systems.— SOLATI S.A.S.
Contractors and technology vendors have become among the most vulnerable points through which large organizations can be compromised.— Cybersecurity experts cited in the report
The Hearth Conversation Another angle on the story
Why target a contractor instead of going straight at EPM? Wouldn't that be harder?
It's actually the opposite. EPM is a major utility with serious defenses. SOLATI is smaller, handles specialized billing work, and likely has fewer security layers. The criminals found the softer entry point.
So EPM's systems were never really at risk?
Not directly, no. But that's almost beside the point. The data they wanted—customer portfolio information, billing patterns—was sitting in SOLATI's systems. They got it without ever needing to breach EPM itself.
What happens now with the stolen information?
The criminals are already releasing it publicly. That's part of the pressure tactic. They're showing they have it, showing they can distribute it, hoping someone will pay to make it stop.
Did SOLATI pay them?
They said they won't negotiate with criminals. Whether that holds depends on what happens next—how much pressure the public release creates, whether authorities move quickly.
Is this a new problem?
Not new, but it's becoming the standard playbook. Companies like EPM invest heavily in their own security, but they're only as strong as their weakest partner. That's what keeps security experts up at night.
What should customers worry about?
The data exposed was analytical, not personal. But it's a reminder that your information lives in multiple places, not just with the company you pay. That's the real vulnerability.