Cyber Incident Victim: Franz Carl Weber
Date:
Feb 2024
Location:
Switzerland
Summary
A ransomware group known as Black Basta claimed responsibility for stealing over 700 GB of sensitive data from a toy retailer, including employee personal documents such as passport copies, payroll records, HR files, and accounting information. The attackers published a sample of the stolen data as proof and threatened full release unless a ransom was paid. The retailer's parent company confirmed the breach, stating it was detected by a service provider, reported to law enforcement and data protection authorities, and that affected individuals were notified while the investigation continued. The incident did not significantly disrupt business operations, but the company declined to disclose the attack method or whether it would pay the ransom.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2024, the ransomware group Black Basta claimed responsibility for a cyberattack targeting Swiss toy retailer Franz Carl Weber, now owned by German parent company Müller. The group listed the company on its Darkweb platform, alleging theft of over 700 GB of sensitive data including accounting documents, HR department files, and employee personal information. As proof of compromise, Black Basta published samples containing passport copies, identity cards, foreign residence permits, complete salary statements, apprenticeship contracts, and family allowance applications. The attackers threatened full publication of the dataset within approximately one week if ransom demands weren't met, though the specific financial terms and payment negotiation status remained undisclosed.
Müller's press office confirmed the breach occurred in February when their service provider detected unauthorized activity. The company promptly notified Swiss law enforcement authorities and the Federal Data Protection and Information Commissioner (FDPIC). Immediate containment measures were implemented, and affected individuals received notifications based on preliminary findings. Operational business continuity reportedly faced no significant disruptions. The parent corporation acknowledged the serious risks posed by potential exposure of personal data but declined to disclose the attack's initial entry vector or whether systems beyond Franz Carl Weber's infrastructure were compromised. A comprehensive forensic analysis remained ongoing at the time of reporting, leaving unresolved questions about the intrusion methodology and full data exfiltration timeline.