Cyber Incident Victim: Naivas Supermarket

On or around April 1, 2023, Kenyan retail chain Naivas publicly confirmed it had fallen victim to a cyber attack perpetrated by an online criminal organization. The incident was identified as a ransomware attack, and Naivas stated it was one of many corporates and organizations both within and outside Kenya that were targeted by the same threat actor. The unlawful intrusion into Naivas's systems resulted in a data breach, with the attackers potentially compromising some of the retailer's data. The specific initial vector of the attack and the exact timeline of the initial compromise were not publicly disclosed by the company.

Upon becoming aware of the intrusion, Naivas took immediate steps to prevent further external access to its systems. The company engaged the global cybersecurity firm CrowdStrike to assist in ensuring system integrity and to conduct a forensic review of the incident. This engagement was part of the containment and response effort to secure the compromised environment. The process of securing the systems was reported as complete, with Naivas confirming that the attack had been contained, its systems were secure, and its retail operations were functioning normally across its 80 outlets and e-commerce platform. The company also stated it had enhanced its cybersecurity practices as a result of the incident.

The threat actor behind the attack claimed to have successfully exfiltrated data from Naivas's systems and threatened to publish this information online. Naivas acknowledged that the stolen data may include customer personal information. In response to the breach, Naivas initiated cooperation with relevant law enforcement agencies who were investigating this incident alongside numerous other contemporary ransomware attacks in Kenya. The company also formally informed the Office of the Data Protection Commissioner Kenya of the data breach, fulfilling its regulatory obligations.

Regarding the impact on customer data, Naivas provided specific details on the types of information it holds and what was potentially at risk. The company confirmed it does not store any credit card or debit card information on its systems for any transactions, whether in-store or through its e-commerce website. Payment data was described as being handled securely by third-party payment service providers who protect it through SSL encryption and maintain certifications such as ISO 27001. Similarly, the company stated it does not hold bank account details, Personal Identification Numbers (PINs), or passwords for its customers. For mobile money transactions, Naivas only recorded customary transactional information. The primary data of concern involved personal information held for members of its loyalty program. This data, to the extent supplied by customers, included names, ID numbers, telephone numbers, email addresses, and home addresses. The company reported that at the time of its announcement, it was not aware of any malicious use of the stolen data. Customer loyalty points were not impacted, and members could continue to earn and redeem points as normal.

The company's public response included the issuance of a detailed statement and a comprehensive list of frequently asked questions posted on its website. This communication was attributed to Willy Kimani, the Chief Commercial Officer. The FAQs addressed operational security, the nature of the stolen data, and provided guidance to customers. Customers were advised to remain vigilant against potential phishing attempts conducted via phone, SMS, or email, where fraudsters might purport to be from reputable companies to induce individuals to reveal personal information. Naivas explicitly stated it would never contact customers to ask for passwords or PINs. For further information, customers were directed to contact the Naivas Data Protection Officer, Jean Wambui, or visit a store. The broader legal context was noted in one article, referencing Kenya's Computer Misuse and Cybercrime Act 2018, which stipulates that unauthorized access to a computer system can attract a fine not exceeding five million Kenyan shillings or a jail term not exceeding three years, or both. One article also provided general cyber threat context from the Communications Authority of Kenya, which indicated 250 million cyber threats were detected in the second quarter of the 2022/2023 financial year, with 36.8 million of those being malware threats such as ransomware. The incident underscored the ongoing cybersecurity challenges faced by organizations in Kenya.