Cyber Incident Victim: Sonae
Date:
Mar 2022
Location:
Portugal
Summary
The Sonae Group, owner of Continente hypermarkets, experienced a cyberattack disrupting commercial websites and in-store services, including online platforms, tax receipt issuance, and customer loyalty card functionality. Physical retail locations remained operational with cash and card payments unaffected, though certain digital services were inaccessible. The company's IT teams worked to investigate the incident and restore normal operations, with no evidence of compromised customer data reported during the initial response phase.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 30, 2022, at approximately 2:00 AM, the Sonae Group—owner of Portugal's Continente hypermarket chain—experienced a significant cyberattack disrupting its digital and in-store operations. The attack rendered all Continente commercial websites inaccessible and impaired internal systems supporting physical retail locations. While stores remained open for business, critical functions were compromised: customers could not receive tax receipts (faturas) at checkout, and the Continente customer loyalty card system—used for accumulating discount points—failed to operate. Payment processing remained functional for both cash and card transactions, allowing basic retail activities to continue. Sonae’s IT teams immediately initiated investigations into the incident and worked to restore normal operations, though no estimated timeline for full recovery was provided. The company issued public statements confirming the cyberattack but emphasized no evidence of customer data compromise had been identified at that stage.
The incident occurred amid a surge in high-impact cyberattacks targeting Portuguese organizations in early 2022, including the January attack on Impresa Group (parent company of SIC television and Expresso) by the Lapsus$ hacking collective. Unlike ransomware operations, this attack caused operational disruption without explicit ransom demands or overt data theft claims. Insurance industry representatives had warned of escalating attacks following the Impresa breach, predicting similar incidents were inevitable. Sonae’s response focused on containment and restoration, with no disclosure of attack vectors or perpetrator attribution. Service disruptions persisted for an unspecified duration while technical teams addressed the system-wide disturbance, prioritizing the reinstatement of online platforms and loyalty program functionality. The attack highlighted vulnerabilities in retail sector infrastructure, particularly the interdependency between digital services and physical store operations.