Cyber Incident Victim: Saville Row

On or around April 21, 2023, the Chilean clothing retailer Saville Row was listed on the data leak site operated by the BlackCat ransomware group. The threat actors provided sample files as proof of their claim, which consisted of internal company documents such as invoices and purchase orders. In their public post, BlackCat issued a direct threat to the company, stating that in the very near future, all personal data of Saville Row customers would be exposed. They further threatened that the sensitive and confidential customer data would soon be sold on the black market for purposes including money laundering and other criminal activities. The group issued a 72-hour deadline to Saville Row to prevent the sale of its customers’ data, a messaging tactic described as becoming almost standard for BlackCat during this period. Despite these attempts to pressure the victim, the deadline passed without any publicly observed follow-through on the threat from the ransomware group.

An investigation into Saville Row's public-facing communications found no notice of any security incident posted on the company’s official website or its social media networks. The organization did not respond to email inquiries sent by DataBreaches.net on April 21, 2023, asking them to confirm or deny the attack claimed by BlackCat. The public listing of Saville Row on the leak site was one of several Latin American companies targeted by ransomware groups during this timeframe. On the same day, BlackCat also added Seguros la Occidental, a Venezuelan insurer, to its site, providing 27 screenshots of various insurance documents and ID cards as proof. Another Guatemalan firm, Cementos Progreso, was also listed by BlackCat on April 21 with samples of internal documents. The listing for Cementos Progreso subsequently disappeared from BlackCat's leak site on April 27, 2023, though the company had not responded to earlier email inquiries.

The incident involving Saville Row shares characteristics with other cyber events reported during the same period, illustrating common tactics used by threat actors. The LockBit group added Banco de Venezuela to its leak site on April 19, though the bank forcefully denied any attack via its Twitter account, stating its platforms were operating normally and with security. Analysis of LockBit's provided proof did not support their claim of a system compromise, leading to the claim being treated as disputed. In Brazil, the CrossLock ransomware group claimed an attack on Valid Certificadora Digital, a firm that issues digital certificates. CrossLock asserted they had encrypted the entire network, including virtual machines, and exfiltrated sensitive data such as SSL certificates, server databases, and documents. Valid Certificadora posted a notice on Facebook about restoring services after a temporary instability but made no mention of ransomware or a ransom demand. CrossLock subsequently leaked 1.5GB of files and offered to sell valid certificates for use in signing malware.

The primary impact of the Saville Row incident was the confirmed exfiltration of internal corporate documents, as evidenced by the samples provided by BlackCat. The potential exposure of customer personal data was explicitly threatened but not conclusively demonstrated through public leaks following the passed deadline. The company's lack of public response or acknowledgment limited the available information regarding the full scope of the data compromise, the operational impact on business systems, or any internal containment efforts undertaken. The reputational damage from being named on a ransomware leak site and the threat to customer data remained a significant consequence. The incident highlighted the continued targeting of retail and other sectors in Latin America by sophisticated ransomware operations employing double-extortion tactics, combining system encryption with threats to release stolen data. The response actions, if any were taken by Saville Row, were not disclosed through public channels, leaving the containment and remediation measures unknown externally. The event concluded from an external perspective with the passing of BlackCat's deadline without further public action, though the long-term consequences for the organization and its customers remain unclear due to the absence of official confirmation or detailed reporting.