Cyber Incident Victim: Logística Integrada Sulamericana

On or around April 21, 2023, the ransomware group known as BlackCat added the Brazilian logistics firm Logística Integrada Sulamericana (LISA) to its data leak site. The group publicly disclosed that they had successfully exfiltrated data from the company's systems. As proof of their claim, BlackCat provided 45 screenshots of various internal company documents. These documents included identity cards and other logistics company files, demonstrating the group's access to sensitive and personal information belonging to LISA, its customers, and its partners. The public listing on the leak site served as both an announcement of the successful attack and a threat to release the stolen data more widely.

Following the data exfiltration, BlackCat attempted to engage with LISA's management. The group's public statement on their leak site accused LISA's management of being fully aware of the cyberattack and the subsequent theft of sensitive data. BlackCat claimed that the company had been given an opportunity to contact the attackers to negotiate and to protect the personal and critical data of its customers and partners. According to the threat actors, LISA failed to initiate this contact. BlackCat's statement further alleged that the company believed its customers' and partners' data was insignificant and could be sold for criminal purposes, a claim used to publicly justify their decision to leak the information.

In response to the incident, LISA did not issue any public notice on its official website or through its social media channels. The company maintained public silence regarding the cyberattack and the compromise of its data systems. External attempts to solicit information from the company were met with no response. DataBreaches.net sent email inquiries to LISA on April 21 and again on April 24, 2023, seeking confirmation and details about the incident. These emails received no reply, leaving the extent of the breach and the company's internal response actions undisclosed to the public.

The primary impact of the incident was the confirmed exfiltration of sensitive data from LISA's corporate systems. The 45 screenshots published by BlackCat served as evidence that the compromised data included internal company documents and personal identification information, such as identity cards. The public threat by the ransomware group to release the stolen data created a significant risk of the information being misused for criminal purposes, including potential identity theft and fraud, affecting LISA, its employees, its customers, and its partners. The reputational damage to the company was compounded by the attackers' public accusations regarding the company's failure to protect stakeholder data.

There was no public information available regarding LISA's internal detection of the incident, its initial response, or any containment measures it may have undertaken. The company's complete lack of public communication meant that stakeholders were not officially informed of the potential risks to their personal data by the entity that was compromised. The only available information concerning the attack's scope, the threat actor's actions, and the proof of data theft came directly from the adversary's leak site, not from the affected organization. The incident involving Logística Integrada Sulamericana (LISA) was one of several cyberattacks targeting organizations in South America during this period, as reported concurrently with events affecting entities in Colombia, Argentina, and Chile.