Cyber Incident Victim: SPAR Handels AG
Date:
Mar 2025
Location:
Switzerland
Summary
In theovernight hours, a cyberattack struck SPAR Handels AG, disabling payment terminals in its stores and forcing customers to rely on cash or Twint for purchases. The incident also crippled the retailer’s ordering and goods‑receipt systems, leading to temporary product shortages and halting scheduled deliveries for the coming week while core assortment shipments remained assured for the immediate period. Tank‑shop locations were reported unaffected, and the company engaged cyber specialists to restore operations as quickly as possible.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In the nightfrom Thursday, 13 March to Friday, 14 March 2025, SPAR Handels AG, which operates the Spar Gruppe Schweiz including the TopCC markets, was targeted by a cyberattack that disrupted its IT systems. The attack caused the electronic cash (EC) devices in Spar branches to stop functioning, leaving customers able to pay only with Twint or cash, although Twint was also reported as unavailable in some locations. Spar issued a statement on its website informing customers that it had become a victim of a cyberattack and that first analyses indicated the systems were broadly affected. By Friday evening, visitors to a Spar supermarket confirmed the outage, with staff noting that only cash worked and that signs at the checkout indicated the payment limitations. On Saturday afternoon, Spar sent a media release detailing that the incident had occurred during the night of 13 to 14 March 2025 and that business operations were currently disturbed. The release also noted that some products might be temporarily unavailable in the markets due to the disruption of the goods ordering and receipt system.
The cyberattack affected the system responsible for ordering goods and processing deliveries, which meant that the usual automated replenishment could not be executed. Spar communicated that the delivery of the 65 Leader‑articles, representing the core assortment, was still guaranteed for Saturday but that the system would not be able to trigger deliveries for Monday. To mitigate the impact on store shelves, Spar advised its branches and partners to inform regional suppliers and to make use of local sources, specifically mentioning that bread should be ordered from Regio Beck. The statement clarified that the tanker shop operations were not impacted by the system outage. Spar’s corporate structure comprises 143 Spar‑Nachbarschaftsmärkte, 97 Spar‑Express‑Convenience‑Markets, 10 Spar‑Minimärkte and 11 TopCC‑Cash‑&‑Carry‑Supermarkets, with a quarter of the neighbourhood markets being group‑owned and the remainder operated by independent franchisees.
In response to the attack, Spar engaged cybersecurity specialists to obtain an overview of the situation and to work on restoring operations as quickly as possible. The company reported that, by Saturday, card payments could be made again in many Spar stores through the use of Sumup devices as an interim solution. Spar’s management committed to keeping the stores informed over the weekend about the status of recovery efforts and emphasized that all employees were working together to resume normal business activities. The communication from Spar indicated that the incident presented a significant challenge but that immediate steps were being taken to address the system failures and to limit further disruption to customers and suppliers.