Hackers claim breach of hat brand worn by Nicole Kidman and Hillary Clinton

Published: 9 March 2026
Last updated: 11 March 2026
helen kaminski 2

A luxury fashion label worn by Hollywood stars has landed on a ransomware gang’s hit list.

The Play ransomware group has added Australian fashion icon Helen Kaminski to its dark web leak site. The breach notice came up on March 8th, claiming responsibility for the cyberattack. However, the gang has yet to release proof of the breach.

The attackers started a three-day countdown, putting public pressure on the victim to negotiate. It also suggests that they will publish the stolen files if the company refuses to pay the ransom.

ADVERTISEMENT

According to the Play group’s listing, the attackers claim to have exfiltrated sensitive corporate data, including:

  • Client documents
  • Payroll information
  • Financial and tax records
  • IDs

Founded in 1983, Helen Kaminski built a global reputation for handcrafted raffia hats and luxury summer accessories. The company’s signature raffia hats have long been a staple of celebrity wardrobes.

Among those spotted wearing the brand are Nicole Kidman, Angelina Jolie, Cindy Crawford, Drew Barrymore, Naomi Watts, and Hillary Clinton during her visit to Australia.

image
Play ransomware leak site. Screenshot by Cybernews

What could happen next

Ransomware groups are increasingly using double extortion to make profits. This kind of attack works by first locking victims out of their systems, then exfiltrating internal data and threatening public data leaks if the victim refuses to pay ransom.

“Play hasn’t published any samples yet, but the three-day timer indicates data could be released soon,” Cybernews researchers said.

ADVERTISEMENT

If the data claimed by Play proves to be real, it could carry several risks.

“If this is true, it could potentially affect company employees if there’s any PII in the dataset. Also, there is a risk of business operation exposure.”

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Exposing employee payroll records is particularly sensitive, as paired with IDs, they could put staff at risk of identity theft or fraud.

The company might also be targeted, as leaked internal files might reveal operational details or business relationships that attackers could exploit in future attacks.

Cybernews has reached out to Helen Kaminski for confirmation, but has not received a response at the time of publication.

What we know about Play ransomware

Play ransomware has been linked to Russia and remains among the most active ransomware gangs. According to Cybernews's dark net monitoring tool, since 2023, the gang has listed 1106 victims, 52 of which are in the last month alone.

In 2025, the ransomware cartel claimed Jamco Aerospace, a commercial and military aircraft industrial parts supplier for the US Navy, Boeing, and Northrop Grumman. It also targeted ADC Aerospace, a US-based engineering component maker for the defence and aerospace sectors.

Among the fashion companies hit, the cartel has previously attacked Esquire Brands, a maker of kids' footwear operating several popular brands.

ADVERTISEMENT

In 2023, Play was behind the attack on the Palo Alto County Sheriff's office in Iowa and the Donald W. Wyatt maximum security detention center in Rhode Island.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked