At the end of last week, mega-retailer Shoprite issued a statement warning customers to be on the alert for identity fraud after a hacking gang claimed to have broken into the Shoprite servers and steal some customer names and ID numbers but no financial information or bank account numbers.
Shoprite said they became aware of a suspected data compromise in a specific sub-set of data and which may affect some customers who engaged in money transfers to and within Eswatini and within Namibia and Zambia.
On Wednesday 15 June, the BleepingComputer website reported that a relatively new but known hacking gang, RansomHouse claimed responsibility for the attack.
“An investigation was immediately launched with forensic experts and other data security professionals to establish the origin, nature, and scope of this incident,” the retailer stated.
“Additional security measures to protect against further data loss were implemented by amending authentication processes and fraud prevention and detection strategies to protect customer data. Access to affected areas of the network has also been locked down.”
Itweb has now reported that the group, known as RansomHouse, is now demanding ransom from the retail chain and is threatening to sell the sensitive information to the highest bidder if its demands are not met.
Taking to messaging app Telegram, RansomHouse says: “First of all, meet Shoprite! The company that runs your favourite stores if you live in Africa. Truth is, it’s been quite some time since we encountered something THAT outrageous: their staff was keeping enormous amounts of personal data in plain text/raw photos packed in archived files, completely unprotected. Feel free to have a look at the data sample at our website.”
“We’ve contacted Shoprite management and invited them to negotiate, but the only thing they did is change their passwords like it solves everything. If their position doesn’t change, most of this data will be sold with something disclosed to the public. Apart from KYC [know your customer] data, we also got lots of other interesting stuff from the company. Yes, they like to keep a lot of things unprotected.”
According to cyber security firm Malwarebytes, RansomHouse is a new extortion group that gets into victims’ networks by exploiting vulnerabilities to steal data and coerces victims to pay up, lest their data is sold to the highest bidder.
If no criminal is interested in buying the data, Malwarebytes states, the group leaks it on its site.
This group is unique in the way it extorts money from victims, says Malwarebytes, noting it appears to market itself as a penetration tester and bug bounty hunter more than the average online extortionist.
After stealing data from targets, it offers to delete it and then provides a full report on what vulnerabilities it exploited and how.
Like ransomware groups, it also has channels in place – a Telegram account and a leak site – to communicate with victims, journalists and those who want to track their activities.
Malwarebytes notes RansomHouse is believed to have emerged in December 2021 and has four victims, the first of which was Canada’s Saskatchewan Liquor and Gaming Authority, a regulator of alcohol, cannabis and most gambling in the province, which first reported a breach in that same month and year.
According to the “About” page on RansomHouse’s Onion site, it is “a professional mediators community”.
The Shoprite attack is the second high-profile case where a South African organisation’s cyber security system has been breached, with the cyber criminals demanding a ransom thereafter.
In March, credit bureau TransUnion South Africa was hacked by a group called N4aughtysecTU, which demanded a $15 million (R223 million) ransom over four terabytes of compromised data.
This, as South African organisations are increasingly being targeted by cyber criminals.
For example, last month pharmacy retail giant Dis-Chem was hit by a cyber attack that exposed about 3.6 million personal records of South Africans.
In September, over a million South African citizens potentially had their personal data exposed after a ransomware attack at debt recovery services firm Debt-IN Consultants. Most local banks make use of Debt-IN Consultants’ services.