Cyber Incident Victim: Nestlé
Date:
Mar 2022
Location:
Switzerland
Summary
A multinational food company faced a data leak when hackers associated with Anonymous released 10GB of internal information, including emails, passwords, and client data, as retaliation for maintaining business operations in Russia following the Ukraine invasion. The victim denied a cyberattack, attributing the incident to unintentional exposure of predominantly public test data from a business test environment during a brief period, which was promptly investigated with no further action deemed necessary. The hackers framed the leak as a "first warning shot," threatening escalated actions against multiple companies defying their ultimatum to exit Russia, while cybersecurity analysts noted the compromised data likely originated from insufficiently protected test systems vulnerable to exploitation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In March 2022, Nestlé faced claims of a cyberattack after hacking groups associated with Anonymous leaked 10GB of data purportedly containing emails, passwords, and client information. The incident surfaced on March 22 when Anonymous-affiliated Twitter accounts, including KelvinSecurity Group, published the data dump alongside threats targeting companies continuing operations in Russia following its invasion of Ukraine. Nestlé swiftly denied suffering a cyberattack, attributing the leak to a February 2022 incident involving a business test website. A company spokesperson stated that "randomized and predominantly publicly available test data of a B2B nature" had been unintentionally exposed online for a short period, emphasizing that the data was not from production systems. Nestlé asserted it had investigated the February exposure and deemed no further action necessary, reiterating cybersecurity as a top priority. Independent analysis by Laminar CTO Oran Avraham supported Nestlé’s claim, identifying the compromised database as likely originating from a test or staging environment—a common target due to weaker protections and monitoring.
The leak occurred amid Anonymous’s broader #OpRussia campaign, which issued a 48-hour ultimatum on March 20 demanding companies exit the Russian market or face cyberattacks. Nestlé, alongside Burger King, Subway, Bridgestone, and Raiffeisen Bank, was explicitly threatened. Anonymous framed the Nestlé data release as a "first warning shot," implying potential follow-up actions, though no subsequent attacks were confirmed. Nestlé’s Czech spokesperson, Tereza Skrbková, reiterated that the data exposure was isolated to test data and had been resolved in February, dismissing the March claims as unfounded. The incident highlighted risks associated with "shadow data" in cloud environments, with Laminar noting 50% of organizations experienced cloud breaches in the preceding two years. Anonymous’s campaign included DDoS attacks against Russian government and corporate targets, though Nestlé maintained no operational disruptions occurred beyond the initial test data exposure.