Cyber Incident Victim: Boga Group
Date:
Sep 2022
Location:
Indonesia
Summary
A cybercriminal group known as DESORDEN breached the servers of a major restaurant operator with over 200 outlets across Indonesia and Malaysia, exfiltrating over 31 GB of sensitive data. The compromised information included approximately 409,000 customer records containing names, phone numbers, and email addresses, alongside 16,000 employee records, financial documents, and corporate files. The attackers deleted databases from the compromised servers as proof of their intrusion but acknowledged the victim likely maintained backups. DESORDEN indicated financial gain as their primary motive, estimating the stolen data could yield up to $20,000 through sales to buyers seeking personal information from Southeast Asian countries, while criticizing the region's weak cybersecurity regulations and breach notification practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around September 2, 2022, the Boga Group, a restaurant operator managing over 200 outlets across Indonesia and Malaysia under brands including Bakerzin, Pepper Lunch, Paradise Dynasty, and Boga Catering, experienced a significant cybersecurity breach. The hacker group DESORDEN infiltrated the company’s servers, exfiltrating over 31 GB of data comprising corporate documents, financial records, and sensitive personal information. The attackers acquired 409,168 customer records containing names, phone numbers, and email addresses, alongside 16,476 employee records. DESORDEN provided evidence of the breach through a recorded demonstration showing directories, spreadsheets, and .csv files from Boga Group’s systems, with row counts matching their claims. In their message to the company, embedded in the recording, DESORDEN stated they had deleted databases from the servers after downloading them, asserting this action was intended to force acknowledgment of the breach while assuming Boga Group maintained backups. The group emphasized the theft’s scale and specificity, directly challenging the company to verify the incident with its IT department.
DESORDEN disclosed the breach to DataBreaches.net, framing the attack as part of a broader pattern targeting businesses in Indonesia, Malaysia, and other Southeast Asian nations due to perceived weak cybersecurity practices and lax regulatory enforcement. The group cited profitability in selling stolen data, estimating potential earnings of up to $20,000 USD for job-related information, with Chinese buyers showing particular interest in personal data from the region. Boga Group did not respond to DataBreaches.net’s request for comment, leaving the company’s internal detection mechanisms, containment efforts, and post-incident actions undocumented in public sources. DESORDEN characterized their disclosure as a “courtesy,” reflecting skepticism about regulatory or corporate responsiveness in affected countries. The breach exposed operational and financial vulnerabilities within Boga Group, risking reputational damage and potential misuse of customer and employee data. DESORDEN concurrently signaled intent to expand operations in South Korea, Taiwan, Vietnam, Japan, and Thailand, aligning with market demand for regional personal data.