Cyber Incident Victim: Panasonic India Pvt. Ltd.
Date:
Nov 2020
Location:
India
Summary
Attackers attempted to extort Panasonic India by threatening to release stolen data unless a ransom was paid, subsequently publishing a 4GB archive containing sensitive financial records, supplier bank account details, employee information, and unencrypted passwords for critical systems. The victim stated no customer data was compromised, but security analysts contested this, highlighting exposed confidential supplier contracts, employee credentials, and internal documents marked as strictly confidential. The breach involved administrator-level access to internal domains, potentially through Active Directory, with the attacker offering network access for sale to other threat actors. Security experts noted poor practices, including storing passwords in plaintext spreadsheets despite internal policies advising complexity, and failure to encrypt sensitive files. The incident exemplified a broader trend of attackers monetizing network access through extortion or resale to ransomware groups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-October 2020, a Russian-language post on a cybercriminal forum advertised network access to an unnamed large electronics manufacturer, later confirmed as Panasonic India. The post threatened to release 4GB of stolen data unless a $500,000 ransom was paid within seven days, while also offering the data and network access for $40,000 in bitcoin. The attacker claimed to have sent ransom notes to Panasonic India’s corporate email addresses and asserted administrator-level access to two internal domains, likely involving Microsoft Active Directory. On November 3, 2020, the attackers followed through by publicly releasing the data archive containing sensitive financial records, supplier bank account numbers, accounting spreadsheets, password lists for critical systems, employee email addresses, and internal communications. Panasonic India acknowledged the breach in a statement on November 3 but asserted no “highly confidential” customer or supplier personal information was exposed, adding that security had been “bolstered” at the Indian subsidiary and that global affiliates were reinforcing countermeasures. Resecurity, a cybersecurity firm that engaged with the attacker, described the individual as Russian-speaking and technically sophisticated, noting this actor’s pattern of extorting companies before selling network access to ransomware groups if unpaid—a tactic the attacker allegedly employed in separate breaches like the Foxconn incident.
The leaked data included detailed records of 58 subcontractors’ bank accounts, a confidential list of 197 international suppliers with contact information, and outstanding account balances from vendors dating to March 2020. Security analysts at Hold Security confirmed the presence of unencrypted password spreadsheets for corporate email, remote administration tools, CCTV systems, ERP software, and McAfee security products—credentials that could facilitate further network intrusions. Internal Panasonic India documents advising against simple passwords like “123” contrasted with actual exposed credentials showing weak password practices. The attacker organized the stolen data into folders labeled “Panasonic India” in Russian, suggesting intentional curation for usability by other criminals. Analysts warned the data could enable business email compromise (BEC) scams targeting Panasonic’s suppliers, while the exposure of financial records and internal communications risked reputational damage and operational disruption. Panasonic India declined to disclose the initial breach vector or confirm whether the incident impacted broader corporate systems beyond its subsidiary.