Swedish heavy vehicle manufacturer Scania has now confirmed that threat actors successfully breached its insurance and financial services division. A member of the Volkswagen Group, Scania is a major global producer of large trucks, buses, and heavy industrial vehicle engines. Earlier this month, a threat actor going by the name “hensi” claimed a cyberattack on the company’s insurance website. The threat actor wrote in a post that they were selling the full attachment of all the files stolen from Scania insurance. The company, which employs over 59,000 people worldwide, has an annual revenue of more than $20.5 billion, a major firm.
In a statement to BleepingComputer, Scania confirmed that various threat actors had indeed breached its network and exfiltrated sensitive data. A Scania spokesperson said, “We can confirm there has been a security related incident in the application ‘insurance.scania.com’.” They explained that on the 28th and 29th of May, a perpetrator used legitimate external user credentials to gain access. Their current assumption is that the credentials used by the perpetrator were leaked by some kind of password stealer malware. Using the compromised account, documents that were directly related to various insurance claims were then illegally downloaded by the threat actor.
Following this successful data breach, the threat actor then used an @proton.me email address to directly extort company employees.
Early on May 30th, the attacker sent out emails to a number of Scania employees threatening to disclose the stolen data. A follow-up email with very similar content came a little later from an unrelated third party whose own email had been compromised. The sensitive data was later leaked online by an actor who is named Hensi, presumably after the extortion attempts had failed. While the leaked data samples have not been observed, insurance documents typically contain large amounts of personal data from many people.
Scania has now officially launched a full investigation into the security breach and has also notified the relevant privacy authorities. The company has also added that the cyberattack’s overall impact on its business operations was actually quite limited in its scope. The compromised application has since been disabled and is no longer reachable online, showing a “system maintenance in progress” message. This incident underlines the fact that insurers are a popular target for many cyber-attacks given the large volumes of sensitive customer data. It also highlights the significant risks posed to large corporations through their various third-party IT service provider relationships and supply chain.
Reference:
