One of South Africa’s biggest supermarket chains, Shoprite, was recently involved with a massive leak of client information. The ‘hacked’ data has now found itself being auctioned off on the dark web, with a starting price of 20 Bitcoin, or about R6.7 million.
A group known as RansomHouse claimed credit for the attack, which took place at the beginning of June.
Shoprite initially responded to the attack, stating that there may have been a ‘possible data compromise’ which involved a few money transfer clients. In reality, the actual data stolen was much worse than Shoprite made it seem at first glance.
RansomHouse decided to leak a small portion of the stolen information online to prove they were the real deal. Information such as client names, ID numbers, and photographs of IDs were posted on the group’s site on the dark web. In total, the leak was relatively small. Only 356 files leaked in total. The full information on sale is much larger and way more valuable.
It seems that affected customers are those who performed any sort of money transfers to or from Eswatini, Namibia, and Zambia. If you are one of these people, your private information may be a part of the leak.
RansomHouse has been trying to get in touch with Shoprite since the attack to negotiate some sort of deal. It’s been said that Shoprite has refused any contact whatsoever.
Shoprite is cheap
On Monday evening, RansomHouse made a statement about Shoprite’s security;
“With regards to Shoprite, we’ve made a decision to add more information about how their infrastructure was compromised. We’ll also publish the whole filetree data, so everyone could get the idea of how massive the leak actually is.”
The group claims that they will back down as soon as Shoprite contact them about negotiating a potential deal.
“We’ve waited long enough for Shoprite to contact us and prevent the further leak, but they could not have cared less about their clients — they’ve only promised to notify everyone involved with an SMS. This is the way large corporations prefer to deal with simple folk who entrust their personal data to these giants, not even an apology for violating all possible standards of data protection, not the slightest attempt to fix the situation.”
Since the actual attack, Shoprite claimed to have cordoned off the parts of its network that were hacked. The company says it has amended authentication processes and its detection strategies so that this can’t happen again. RansomHouse on the other hand doesn’t believe Shoprite has done enough to protect its customers, even after the attack.
“We’ve contacted Shoprite management and invited them to negotiate, but the only thing they did is change their passwords like it solves everything. It’s been quite some time since we encountered something that outrageous,” the group said in an earlier statement.
“Their staff was keeping enormous amounts of personal data in plain text [and] raw photos packed in archived files, completely unprotected.”
RansomHouse said that besides FICA data, it also obtained “…lots of other interesting stuff”.
It’s a pretty weird thing to see a group that sells private information chewing out the company it stole from. Just imagine the guy who killed Batman’s parents got upset with them for not wearing bullet-proof vests.
It’s a little messed up, but RansomHouse isn’t wrong. Who best to tell a company their security is weak than the people bypassing that same security. Hopefully, this is a wake-up call for Shoprite, and it decides to invest a little more in network security to avoid this happening again.