Cyber Incident Victim: Naivas Supermarket

On or around April 23, 2023, the Kenyan supermarket chain Naivas publicly disclosed it had fallen victim to a significant cybersecurity incident. The company announced the event via a formal notification posted on its official Twitter account. This public communication served as the primary method for informing customers and stakeholders that the company's systems had been hacked and data had been stolen. The notification was accompanied by an image file containing the official statement from the company. Concurrently, the ransomware group known as BlackCat claimed responsibility for the attack against Naivas. As part of their claim, the threat actors provided proof to support their assertion that the intrusion was successful. This proof included evidence that they had exfiltrated a substantial volume of corporate data from Naivas's internal networks.

The threat actors, operating under the BlackCat name, asserted that they had successfully acquired more than one terabyte of data from Naivas's systems. This large quantity of data suggested a significant and sustained period of unauthorized access and data exfiltration prior to the public discovery and disclosure of the incident. The attackers publicly stated their intention to monetize the stolen information by selling it. Their announcement specified that the data would be sold for use in various criminal enterprises, explicitly naming money laundering as one of the intended purposes for the stolen data. This public declaration by the ransomware group highlighted the direct criminal threat stemming from the data breach.

In its public notification, Naivas provided assurances to its customer base regarding the safety of specific types of sensitive information. The company stated that certain customer data, particularly payment card information, was never at risk during the incident. This was because the company's systems were designed not to retain or store such payment card data, thereby insulating it from the theft. The company's response actions following the discovery of the intrusion were initiated promptly. Naivas involved external law enforcement agencies, notifying them of the criminal incident. The company also engaged the services of the cybersecurity firm CrowdStrike to assist in managing the incident response process. The engagement of a specialized external firm indicated a move towards containing the threat and investigating the full scope of the compromise.

The incident represented a serious breach of Naivas's corporate network, resulting in the confirmed theft of a large volume of company data. The public claim by BlackCat and the subsequent notification by Naivas created significant public awareness of the event. The core impact was the exfiltration and potential public exposure of sensitive corporate information, the exact nature of which was not detailed in the public announcement beyond its immense size. The company's immediate response focused on public communication, law enforcement engagement, and the initiation of a professional incident response investigation to understand the depth of the breach and to mitigate any ongoing threats to its systems. The event underscored the vulnerability of major retail chains to sophisticated cyberattacks and the potential for large-scale data exfiltration. The aftermath involved managing the reputational and operational consequences of the attack while investigators worked to determine the full extent of the data stolen and the initial attack vector used by the threat actors to gain access to the network. The involvement of a prominent ransomware group indicated a financially motivated attack aimed at extorting the company, either through a ransom demand for a decryption key if systems were encrypted or for the deletion of the stolen data.