Cyber Incident Victim: Spinneys
Date:
Jul 2022
Location:
United Arab Emirates
Summary
A major UAE retailer experienced unauthorized access to its internal systems by a ransomware group, compromising customer data including names, contact details, email and delivery addresses, and historical order information. The organization confirmed no banking data was affected as such details were not stored on breached servers, while collaborating with law enforcement to investigate the incident. Customers were advised to remain vigilant against potential fraudulent communications and directed to official support channels for assistance, with the company expressing regret over the breach and reaffirming its commitment to data protection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around July 16, 2022, a ransomware group breached an internal server belonging to Spinneys, a major retail chain in the UAE. The attackers accessed customer data including names, contact numbers, email addresses, delivery addresses, and previous order information. Spinneys became aware of the incident after receiving reports of anonymous emails being sent from unidentifiable email addresses, indicating potential data leakage. The company confirmed no personal banking information was compromised, as they did not store such details on their servers. The breach represented unauthorized access to sensitive customer records maintained for operational purposes. Spinneys publicly disclosed the incident through an official statement on August 4, 2022, acknowledging the ransomware group's actions while emphasizing their ongoing investigation into the full scope of the compromise.
Spinneys immediately engaged the E-Crime Department at Dubai Police to conduct a joint investigation into the attack. The company notified affected customers about the data exposure and advised vigilance against potential cyber criminal activities, specifically warning against interacting with untrusted parties. Their public communication included a dedicated customer service email ([email protected]) for inquiries while reiterating their commitment to responsible data handling practices. The retailer expressed regret over the incident but maintained transparency about the compromised data categories and investigative progress. Operational impacts included reputational damage from the unauthorized disclosure of customer information, though Spinneys emphasized continued business operations without evidence of financial system compromise given the absence of stored banking details.