Colombia · Business
Key Facts
—Breach scope. Approximately 3,300 user accounts across 15 Ecopetrol Group companies were compromised in the cloud-file storage intrusion.
—Extortion threat. An unidentified external actor demanded payment and threatened to publish the stolen data, though no leak has yet been confirmed.
—Operational status. Ecopetrol reports no material disruption to critical operations or production, and the ransomware execution was blocked.
—CEO timeline. Ricardo Roa Barragán is scheduled to return from a combination of medical and unpaid leave on 29 July 2026, before an expected departure before 7 August.
—Governance pressure. The board, dominated by appointees aligned with President Gustavo Petro, faces union and investor scrutiny over Roa’s legal charges and the cyber response.
The Ecopetrol cyberattack has compromised data tied to 3,300 accounts across 15 group companies, intensifying pressure on a politically charged board already navigating the contested return of chief executive Ricardo Roa Barragán.
What the Ecopetrol cyberattack actually involved
Ecopetrol disclosed the incident in a formal statement on 17 July 2026, confirming unauthorised access to cloud file-storage environments by an external actor who has not been identified. The intruder attempted to execute ransomware, which the company says its cybersecurity controls successfully blocked before encryption could take hold.
The breach nonetheless resulted in the download of data associated with roughly 3,300 user accounts, spanning approximately 15 entities within the Ecopetrol Group, including the parent company itself. Ecopetrol has acknowledged that the stolen information could include confidential, restricted, proprietary or personal data, though the precise nature and sensitivity remain under assessment.
The attacker followed the intrusion with explicit extortion demands, threatening to publish the unlawfully extracted information. As of the latest update, Ecopetrol reports no evidence that any data has actually appeared on leak sites or other public channels.
A company already under strain
This is not Ecopetrol’s first serious information-security scare. In June 2025, the company reported 29 instances of potential security violations and internal leaks of sensitive information, which chief executive Ricardo Roa at the time described as internal disclosures contravening ethical codes and governance standards.
Those earlier incidents were linked to broader governance scandals, including the controversial “Operación Casita” contract with law firm Covington & Burling, under which data from 70 employees was to be surveilled as part of a compliance review tied to Roa’s appointment. The current cyberattack, by contrast, is characterised as an external intrusion, yet it compounds a troubling pattern of information-security weakness at Colombia’s most important company.
Ecopetrol generates roughly 12 to 15 percent of Colombia’s tax income, making any threat to its operational integrity or reputational standing a matter of national fiscal consequence. The company has filed a criminal complaint with the Attorney General’s Office and is cooperating with specialised national authorities to trace the external infrastructure used in the attack.
Live Company IntelligenceEcopetrol SA ADR — the full investor dossierInside: live share price, market cap, three-year financials, valuation, ESG and peer benchmarks — plus the latest Rio Times coverage.
E
◆ Live Company Intelligence
Ecopetrol
NYSE: ECECOPETROLEnergyOil & Gas Integrated
$32.48B
Market cap
Analyst target $13.35
Wall Street view
2.5Hold/ 5
1 Buy6 Hold4 Sell
Avg. price target $13.35 · +8% vs 200-day
Valuation & profitability
Market cap$32.48B
Revenue (TTM)$125.67T
P / E ratio11.3
Profit margin7.5%
Return on equity12.0%
Price & risk
52-wk low
$7.8852-wk high
$17.75
Beta (volatility)-0.01
200-day average$12.33
Revenue trend · 6y
20202025
Latest $111.48T
Ownership
Institutions1.3%
Shares outstanding2.06B
Top holderVanguard Group Inc
Institutional holders5+ funds
Dividend
Yield4.1%
Payout ratio59.6%
Fwd. annual$0.65
What Ecopetrol does. Ecopetrol S.A. operates as an integrated energy company. It operates through four segments: Exploration and Production; Transport and Logistics; Refining and Petrochemicals; and Energy transmission and Toll Roads Concessions. The Exploration and Production segment engages in the exploration and production of oil and gas. The Transport and Logistics segment is involved in…
The governance crisis around Ricardo Roa
The cyberattack lands at a uniquely delicate moment for Ecopetrol’s leadership. Chief executive Ricardo Roa Barragán, who previously managed Gustavo Petro’s 2022 presidential campaign, faces formal charges of influence peddling filed by the Attorney General’s Office on 11 March 2026.
Prosecutors allege Roa steered a gas regasification contract at the Ecopetrol subsidiary Hocol to a businessman with close personal ties. Separately, Colombia’s National Electoral Council found in November 2025 that Petro’s campaign, managed by Roa, had exceeded legal spending limits by approximately 5.3 billion Colombian pesos (about 1.4 million US dollars).
Despite union demands for his removal and threats of a strike, the board—dominated by directors aligned with President Petro—resolved on 24 March 2026 to retain Roa as president. The board has stated its legal analyses found no violations of applicable regulations, credit agreements or material contracts tied to Roa’s situation.
Roa’s leave and the late-July return
Roa has been absent from day-to-day management since early April 2026, following a board-approved sequence of vacation, medical leave and unpaid leave. A 30-day medical certificate postponed the originally planned unpaid leave, pushing his expected return to 29 July 2026.
According to reporting by Infobae on 10 July, Roa is scheduled to present a final management report upon his return and then step down from the presidency before 7 August 2026. That date coincides with the anticipated transition to a new government under President-elect Abelardo De La Espriella, who is expected to convene an extraordinary shareholders’ assembly to reshape the board.
The board issued a statement on 25 June pushing back against media reports suggesting it might block Roa’s return, calling such claims imprecise and insisting the matter had not appeared on any board agenda. The official line is that Roa’s leave was authorised and suspended only due to medical incapacity, not political manoeuvring.
What the Ecopetrol cyberattack means for investors
Ecopetrol has reported no material disruption to critical operations, production capacity or essential services, and no immediate direct financial impact severe enough to halt normal business activities. The company has activated support with insurers and capital markets teams to manage potential financial and regulatory consequences.
Yet the company has also explicitly warned that it cannot guarantee the incident will not ultimately have a material adverse effect on its business, reputation, operating results or financial condition. For investors holding Ecopetrol shares on the New York Stock Exchange, that caveat warrants close attention, especially given the unresolved question of what sensitive data the 3,300 compromised accounts contained.
The broader read-through for Latin America portfolio holders is that state-controlled energy companies across the region face mounting cyber threats at a time when political interference in governance is already testing institutional resilience. Ecopetrol’s handling of this dual crisis—cyber remediation and leadership transition—will signal whether the Petrista-majority board can manage risk independently of partisan agendas.
What to watch in the coming weeks
The immediate priority is the forensic assessment of the downloaded data, which will determine whether the breach exposes commercially sensitive information, personally identifiable data or material that could fuel further governance scandals. Any actual publication of the stolen files would escalate the crisis considerably.
Roa’s scheduled return on 29 July and expected departure before 7 August create a narrow window for a leadership handover under extraordinary circumstances. Investors should monitor whether the board uses this period to accelerate governance reforms or whether the transition becomes entangled in the legal proceedings still facing the outgoing chief executive.
The incoming government’s stance on Ecopetrol’s strategic direction, including its approach to cybersecurity investment and board composition, will shape the company’s risk profile for years to come. For now, the market is watching a company that remains operationally intact but strategically exposed.
Frequently Asked Questions
How many accounts were affected by the Ecopetrol cyberattack?
Ecopetrol has confirmed that data associated with approximately 3,300 user accounts was compromised across cloud file-storage environments. The breach affected roughly 15 companies within the Ecopetrol Group, including the parent company. The precise nature and sensitivity of the downloaded data is still under assessment.
Is Ricardo Roa still the CEO of Ecopetrol?
Ricardo Roa Barragán remains the president of Ecopetrol but has been on a combination of vacation, medical leave and unpaid leave since early April 2026. He is scheduled to return on 29 July 2026 to present a final management report and is expected to step down before 7 August 2026, coinciding with Colombia’s presidential transition.
Has any stolen Ecopetrol data been published online?
As of Ecopetrol’s latest public disclosure, there is no evidence that the unlawfully extracted data has been published on leak sites or any other public channels. The external actor sent extortion demands threatening disclosure, but the company reports that no publication has occurred. The situation remains under active monitoring.
View original source — Rio Times ↗

