By Jan Vermeulen for MyBroadband
Customer data stolen from Africa’s largest supermarket chain is being auctioned by dark web extortion market RansomHouse, with bidding open at 20 bitcoin (R6.7-million).
Shoprite fell victim to the cyber extortion gang earlier this month, initially stating that there was a “possible data compromise” affecting some money transfer clients.
The retail group stated that some customers’ names and ID numbers were potentially leaked, specifically those who performed money transfers to and within Eswatini, Namibia, and Zambia.
However, RansomHouse soon claimed responsibility for the attack and demonstrated that it had exfiltrated names, ID numbers, and photographs of people’s government-issued identity documents.
The group claimed it compromised Shoprite’s whole know-your-customer (FICA) database for its money transfer service on 6 June 2022.
To prove its claims, RansomHouse posted 356 files containing customer identity data to its website on the dark web. Compressed, the files are just over 400MB.
RansomHouse threatened to sell the data and leak a portion online unless Shoprite paid up.
It appears Shoprite has refused to communicate with the group.
“With regards to Shoprite, we’ve made a decision to add more information about how their infrastructure was compromised,” RansomHouse said in a statement on Monday night.
“We’ll also publish the whole filetree data, so everyone could get the idea of how massive the leak actually is.”
RansomHouse said that Shoprite could easily fix the situation by contacting them.
“We’ve waited long enough for Shoprite to contact us and prevent the further leak, but they could not have cared less about their clients — they’ve only promised to notify everyone involved with an SMS,” RansomHouse said.
“This is the way large corporations prefer to deal with simple folk who entrust their personal data to these giants, not even an apology for violating all possible standards of data protection, not the slightest attempt to fix the situation.”
RansomHouse emphasised that Shoprite’s attackers did not infect the company’s systems with ransomware during the attack.
In its original notice about the breach, Shoprite promised affected customers would receive an SMS to the cell number supplied at the time of the transaction.
Shoprite said it implemented additional security measures to protect against further data loss by amending authentication processes, and fraud prevention and detection strategies to protect customer data.
It also locked down access to affected areas of its network.
RansomHouse claims that Shoprite had left customers’ data wholly unprotected.
“It’s been quite some time since we encountered something that outrageous,” the group said in an earlier statement.
“Their staff was keeping enormous amounts of personal data in plain text [and] raw photos packed in archived files, completely unprotected.”
RansomHouse said that apart from know-your-customer data, they also obtained “lots of other interesting stuff”.
MyBroadband contacted Shoprite for comment. The company did not respond at the time of publication.