Cyber Incident Victim: Rada

On or around June 20, 2023, a cybercriminal publicly claimed responsibility for a cyberattack against the Italian fashion company Rada. The claim was made in a post on the underground cybercrime platform known as Breach Forums. The threat actor asserted they were in possession of data stolen from the company's internal systems. The specific details regarding the initial attack vector, such as how the threat actor gained unauthorized access to Rada's network, were not disclosed in the public claim. The timing of the initial breach, prior to the public post on Breach Forums, was not specified by the threat actor or confirmed by the company in the available information.

The threat actor's post on Breach Forums served as the primary public announcement of the incident. In this post, the cybercriminal explicitly stated they had exfiltrated a database from Rada's internal website. The compromised dataset was described as containing 25,000 individual records. The threat actor provided a detailed schema of the stolen data to substantiate their claim. The listed data fields included a wide array of sensitive customer and transactional information. The specific data elements comprised internal ID numbers, purchase details such as point of sale and date, and comprehensive customer personally identifiable information including Bill-to Name and Ship-to Name. Financial information was also listed, including Grand Total amounts in both base and purchased currencies, the Subtotal, Shipping and Handling costs, and the Total Refunded. The record also contained the order Status, detailed Billing and Shipping Addresses, Shipping Information, and the Delivery Date. Customer information included the Customer Email, Customer Group, and Customer Name. Payment Method details and a specific field labeled "Signifyd Guarantee Decision" were also listed as part of the stolen data set.

Following the public claim on the forum, the incident gained public attention through cybersecurity news outlets. The news website RedHotCyber reported on the threat actor's claim, noting the appearance of the post on Breach Forums. The report highlighted that, at the time of its publication, it was not yet possible to independently verify if the data was authentic and truly belonged to Rada. This uncertainty was partly due to the absence of an official public statement or press release from Rada on its website addressing the incident. The news article provided a platform for the company, offering space for an official statement should Rada wish to provide updates on the situation. The article also stated that the publication would monitor the evolution of the event for any substantial developments and provided an encrypted email channel for anonymous whistleblowers or informed individuals to share further details.

The platform used for the breach claim, Breach Forums, was described as a successor to the infamous Raid Forums underground platform. These forums operated as online gathering points for individuals involved in cybercrime, providing a space for anonymous communication. The forums were used to discuss various malicious activities, including exchanging information and selling or trading stolen data. While popular within the cybercriminal underground, these platforms also became focal points for law enforcement and security researchers seeking to understand emerging threats. Raid Forums was previously shut down in a law enforcement operation in April 2022, which involved authorities from multiple countries and resulted in the arrest of key administrators and members. Following that takedown, some users migrated to the new Breach Forums platform, which continued to serve as a hub for those interested in data breaches and trafficking sensitive information. The activities on these forums are illegal, and law enforcement works consistently to counter them and protect online users from data breaches and other forms of cybercrime.

The immediate impact of the incident was the potential exposure of highly sensitive personal and financial data belonging to Rada's customers. The compromise of 25,000 records posed a significant risk of fraud and identity theft for the affected individuals, given the breadth of information listed. The data fields encompassed everything necessary for targeted phishing campaigns, financial fraud, and identity impersonation. For the company, Rada, the incident carried potential reputational damage and the risk of non-compliance with data protection regulations such as the General Data Protection Regulation (GDPR) in Europe. The financial and operational consequences of such a data breach could include regulatory fines, legal costs associated with lawsuits from affected customers, and the expense of providing credit monitoring services. The full scope of the impact, however, remained unconfirmed as the company's official response and verification of the data's authenticity were not publicly available at the time of the reporting. The response actions taken by Rada internally, including any steps to contain the breach, investigate its root cause, or assess the damage, were not detailed in the public domain. The public-facing response, specifically the lack of an immediate official statement or press release on the company's website, was noted as a point of interest in the initial news coverage. The longer-term response, including potential notification of affected customers and regulatory bodies, was not covered in the available information. The involvement of external cybersecurity firms for incident response or law enforcement agencies investigating the claim was also not mentioned. The incident exemplifies the ongoing threat posed by cybercriminal actors who target corporate databases containing valuable customer information and utilize underground forums to publicly claim responsibility, often before the victim organization has fully assessed the situation or prepared a public response. The case underscores the challenges companies face in managing the public disclosure of a breach, particularly when details first emerge from adversarial sources rather than through controlled internal channels.