Data stolen in Naivas Supermarket ransomware attack

Local retail giant Naivas has suffered data theft in a ransomware attack, the supermarket chain has said adding that the motive of the attackers remains unknown.

The attack, one of the largest customer data theft in the country, breached servers and systems at the retail giant exposing private information including invoices, agreements, and customer data to possible manipulation by unknown actors.

Through its chief commercial officer Willy Kimani, Naivas revealed that the attack compromised some of its data.

“This unlawful intrusion may have compromised some of our data. Naivas has contained this attack and our systems are secure and our operations are normal,” a letter by Mr Kimani reads in part.

“We are cooperating with relevant law enforcement agencies, as they investigate this and the many current ransomware attacks in Kenya.”

While assuring its clients and partners its systems have since been secured and the attack contained, Naivas said it is not holding any credit card or debit card information in its systems.

"Such payment information is handled securely and protected through Secure Sockets Layer (SSL) encryption. At this moment, we are not aware of any malicious use of stolen data," it said.

The retail chain advised its customers to be on the lookout for any phishing attempts by phone, short messages, or email, and to update their security information such as passwords.

“At this moment, we are not aware of any malicious use of stolen data. However, it is recommended in the face of this type of situation to pay particular attention to any phishing attempts (by phone, SMS or email),” it added.

The retailer claimed that Threat Actor - the alleged masterminds of the attack - intends to publish the stolen data, however, they have informed the Office of the Data Protection Commissioner of Kenya of the incident.