167K people exposed in Sweden Coop data leak


Ransomware gang Cactus says it has released data belonging to 167,000 people connected to Swedish grocery chain Coop after apparently failing to reach an agreement. The company has admitted to being breached in a cyberattack, but insists that it never received a demand for payment.

Ransomware gang Cactus took credit for last month’s attack and has not been idle with the stolen data – an update on its dedicated leaks website dated January 18th says that it has released the entire haul of 257GB.

ADVERTISEMENT

Such tactics are commonplace among ransomware criminal outfits, which aim to leverage target organizations by making good on threats to share compromising data in the hope of compelling them to pay a demanded fee.

In this case, it would appear that Cactus has simply decided to cut its losses and shore up its reputation by releasing the data. The original cyberattack dates back to before Christmas, while the post in which the threat group claims to have dumped the data is dated January 18th.

However, other observers who reached out to Cybernews say the group originally disclosed the data dump four days earlier.

This only adds to the confusion surrounding a cybercrime story that has taken a curious turn: Coop appears to have told local media that it never received a demand for ransom payment – unusual in such cases.

“No demands have been received, we have not perceived any such either,” said a spokesperson. “We have never planned to pay anything that finances criminal activity either.”

For its part, Cactus claims to have “100% disclosed” the data, suggesting that the entire trove has been released into the wild.

According to local media in Sweden, the exposed data includes Social Security numbers, physical addresses, emails, and phone numbers.

The 167,000 people exposed in the attack are thought to include customers, employees, and union members – Coop, which operates some 800 stores in Sweden, is founded on principles of collective public ownership.

ADVERTISEMENT

Coop said the attack took place on December 22nd, affecting card payments as well as undermining its core computer network, which also compromised its email and telephone connections.

Cyber watchdog Falcon Feedsio confirmed a week later that Coop had been a victim of Cactus, along with Bell Group in the UK and Tridon Australia.

Coop insists it has seen no evidence to suggest the stolen data has been used – but that will be of little comfort to victims, given that such information can be traded down the line on dark web forums and might lie fallow for an extended period of time before being exploited by other criminals online.

Cybernews has reached out to Coop requesting clarification over the motive behind the cyberattack but has yet to receive a response.