Naivas Supermarket’s System Hacked, Data Stolen. Looks like Naivas Supermarket, the largest retail chain in Kenya at the moment was backed and important data belonging to partners, invoices, agreements, and customer data were splashed online.
The retail chain appeared on ALPHV/ Black a dark web leak, in what is likely to be one of the largest hacks targeting a retail chain in Kenya. Naivas Supermarket has not given a statement.
Wycliffe Musalia reports that Kenya’s Naivas supermarket chain in Kenya has been the victim of a ransomware incident, but the chain assures customers that certain customer data such as payment card data was never at risk because it is not stored on their system.
From the news report, it sounds like the company notified law enforcement, brought in CrowdStrike, and published a notice to consumers on Twitter on April 23.
Naivas Supermarket has a huge amount of data in Kenya given that they have phone numbers through their Naivas loyalty card and also customers use M-Pesa to pay for their purchases.
Other information that has been seen includes details of suppliers including their bank accounts, agreements, and bank details of Naivas Supermarket itself. The case of Naivas brings to the surface the danger of cybercrime in Kenya.
In 2022, Kenya is said to have lost 3.6 billion shillings to cybercriminals. Most of the affected were commercial banks and Saccos who lost billions of shillings after hackers accessed their bank accounts.
Cybercrime has been blamed for the vanishing of cash from customer bank accounts in institutions such as Equity Bank Kenya leading to a public outcry. During the year, there were numerous cases of people’s money being withdrawn from their accounts without their knowledge.
The problem with Kenyan firms such as banks, Saccos, and now supermarkets, is that they have failed to invest in measures that would prevent cyber criminals from accessing their records and accounts.
Ironically, Kenya has the office of Data Commissioner whose work is to ensure that Kenyans are protected and this includes ensuring that firms have put in place measures to protect data.
Read more at Tuko.ke.
The attack has been claimed by BlackCat, who have posted some proof of claims and a post about how data will be sold for money laundering and other criminal activities. Perhaps the only thing that is really noteworthy about the post is the claim that they acquired more than 1TB of data. At some point, Naivas may need to address how so much data could be exfiltrated without their awareness or detection system alerting them.