Cyber Incident Victim: Scania
Date:
May 2025
Location:
Sweden
Summary
Scania confirmed a security incident in which threat actors used stolen credentials from an external IT partner to access the insurance.scania.com application and download insurance claim documents. The attackers then contacted employees via email, threatening to release the data unless demands were met, and later posted samples of the stolen information on hacking forums. The compromised application was taken offline, an investigation was launched, and privacy authorities were notified. Scania described the impact as limited while noting that the breach exposed personal and potentially sensitive financial or medical information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 28, 2025, Scania confirmed that threat actors breached its Financial Services systems by using compromised credentials belonging to an external IT partner to access the insurance.scania.com application. The perpetrator gained entry on May 28 and 29, 2025, and downloaded documents related to insurance claims after the credentials were allegedly leaked by infostealer malware. Scania told BleepingComputer that the breach was discovered after threat monitoring platform Hackmanac observed a forum post by a user named 'hensi' offering data allegedly stolen from insurance.scania.com to a single exclusive buyer. The company emphasized that the affected application is provided by an external IT partner and that the incident was limited to that system.
Following the data theft, the attackers initiated an extortion phase by sending emails from a @proton.me address to several Scania employees on the morning of May 30, 2025 (CEST), threatening to disclose the stolen information unless their demands were met. A subsequent email with similar content arrived later from an unrelated third party whose own email account had been compromised, indicating a possible secondary compromise. The actor identified as 'hensi' later published samples of the stolen data on hacking forums, confirming the exfiltration of insurance claim documents. Scania noted that the compromised application is no longer reachable online as part of its containment measures.
Scania described the breach as having limited impact, although it acknowledged that insurance claim documents may contain personal and possibly sensitive financial or medical data, and the exact number of affected individuals remains undefined. The company notified relevant privacy authorities about the incident and launched an investigation to determine the full scope and origin of the compromise. As a major Swedish manufacturer within the Volkswagen Group employing over 59,000 people and generating $20.5 billion in annual revenue, Scania confirmed that it continues to monitor the situation and cooperate with investigators.