Menu
Browse

Cyber Incident Victim: Piotr i Paweł

Date:

May 2025

Location:

Poland

Summary

A hacker gained unauthorized access to the IT systems of Spar, formerly known as Piotr i Paweł, resulting in the exposure of customers’ personal data including names, phone numbers, email addresses and delivery addresses. The breach opened the possibility of unwanted telephone calls, telemarketing and fraud attempts using the stolen information. In response, the company secured its systems, identified and blocked the source of the intrusion and notified the relevant data protection authority.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

On May 21, 2025, unauthorized access occurred to the IT systems of WSS Detal Sp. z o.o., operator of the Spar online store (formerly Piotr i Paweł), located at Druskienicka 12 in Poznań. The breach was discovered on the same day and the company issued a notification to affected customers under Article 34 of the General Data Protection Regulation. The notification was dated May 21, 2025 and referenced the company's seat in Poznań (60-476) ul. Druskienicka 12. The communication informed recipients that personal data had been compromised due to the unauthorized access.

Cyber Incident Image

The compromised data included names, surnames, telephone numbers, email addresses, and delivery addresses used for orders. The company indicated that the leaked information could lead to unwanted telephone contact, such as telemarketing or fraud attempts. It also warned that fraudsters might try to obtain money or redirect victims to fake websites by using the exposed personal details. The notice added that delivery addresses may correspond to customers' home addresses, thereby increasing the risk of targeted social engineering.

In response, the company secured access to its IT systems and identified and blocked the source of the unauthorized access. It reported the incident to the President of the Office for Personal Data Protection (UODO) as required by law. The company provided an email address, [email protected], for customers to report any suspected misuse of their data. It stated that it would make every effort to prevent similar incidents from occurring in the future. The notice concluded by affirming that the company would strive to keep personal data secure and that such an event should not happen again.

Sources
Sources available to members
2 sources