Cyber Incident Victim: London, United Kingdom
Date:
Jan 2024
Location:
Hungary
Summary
Pepco Group experienced a sophisticated phishing attack targeting its Hungarian operations, resulting in a financial loss of approximately €15.5 million with uncertain prospects for recovery. The company confirmed no compromise of customer, supplier, or employee data and initiated immediate measures to reinforce IT and financial controls across its operations. Despite the incident, the retailer maintains robust liquidity exceeding €400 million and continues generating strong operational cash flow while conducting a comprehensive review of systems and processes to enhance future security resilience.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2024, Pepco Group N.V., a European retail conglomerate operating brands including Pepco, Poundland in the UK and Ireland, and Dealz in Ireland and Poland, disclosed a sophisticated fraudulent phishing attack targeting its Hungarian business unit. The incident resulted in an immediate financial loss of approximately €15.5 million in cash, though no customer, supplier, or employee data was compromised during the breach. Upon detection, the Group initiated an urgent investigation to assess the scope of the attack and implemented measures to secure its group-wide IT infrastructure and financial control environment. The attack specifically exploited vulnerabilities in the Hungarian subsidiary’s systems, though the exact technical vector of the phishing campaign was not detailed in public statements. Pepco engaged banking partners and law enforcement agencies to trace the stolen funds and explore potential recovery options, though the likelihood of restitution remained uncertain at the time of reporting. The company emphasized that its operational liquidity remained robust, with over €400 million available through cash reserves and credit facilities, and affirmed that ongoing cash flow from retail operations was unaffected.
Pepco’s response included a comprehensive review of all IT systems and financial processes across its European operations to identify and remediate potential weaknesses. This group-wide audit aimed to strengthen defenses against future cyberattacks and reinforce internal controls, though no specific technical safeguards or policy changes were disclosed publicly. The incident prompted heightened scrutiny of financial transaction protocols, particularly within regional subsidiaries, though the parent company confirmed the attack was isolated to Hungary. While the breach did not disrupt store operations or compromise sensitive data, it highlighted systemic risks associated with targeted social engineering attacks against corporate finance functions. Pepco committed to providing further updates as the investigation progressed, but no additional details regarding threat actor attribution, forensic findings, or long-term financial repercussions were released within the initial disclosure period. The company maintained that its strong balance sheet would absorb the financial impact without requiring external capital injections or operational adjustments beyond the security enhancements already underway.