How was the Scania breach discovered?

The breach was discovered after threat monitoring platform Hackmanac spotted a hacking forum post by a threat actor named 'hensi,' who was selling data they claimed to have stolen from 'insurance.scania.com,' offering it to a single exclusive buyer.

What type of data was exposed in the Scania incident?

Exposed data includes insurance claim documents, personal information of claimants, financial details related to insurance claims, medical information (potentially, given the nature of accident claims), vehicle identification numbers (VINs), and customer identities and contact information.

How many people were affected by the Scania breach?

The number of affected individuals has not been disclosed by Scania. However, the company claims that the breach had limited impact overall.

Did the attackers make any threats regarding the stolen Scania data?

Yes, the attacker sent emails from proton.me to a number of Scania employees threatening to publish the stolen data. A follow-up email with similar content came later from an unrelated third party whose email had been compromised.

What immediate actions did Scania take after discovering the breach?

Scania took the compromised application offline so it is no longer reachable, launched an investigation into the incident, and notified privacy authorities regarding the breach as required by regulations.

Who identified the threat actor selling Scania's data?

Threat monitoring platform Hackmanac identified a threat actor named 'hensi' selling data allegedly stolen from Scania's insurance systems on a hacking forum. The data was being offered to a single exclusive buyer.

Was the breach caused by Scania's internal systems or external factors?

The breach was caused by external factors - specifically compromised credentials belonging to an external IT partner that had been stolen through infostealer malware, rather than a direct compromise of Scania's internal systems.

What role did infostealer malware play in the Scania incident?

Infostealer malware was used to steal credentials belonging to an external IT partner that had access to Scania's systems. These stolen credentials were then used by attackers to gain unauthorized access to Scania's Financial Services division systems.

Has Scania's compromised application been secured?

Yes, the compromised Scania application is no longer reachable online, indicating that the company has taken it offline as part of their incident response to prevent further unauthorized access while they investigate and remediate the security issue.

Incident

Scania confirms cyberattack and data breach of their corporate insurance division

Q: What happened to Scania's Financial Services division?

Swedish automotive giant Scania experienced a cybersecurity incident targeting its Financial Services division, which handles commercial vehicle insurance claims and related financial services. The attack involved compromised credentials belonging to an external IT partner.

Q: What is Scania's Financial Services division?

Scania's Financial Services division handles commercial vehicle insurance claims and related financial services for the Swedish automotive giant's customers and business operations.

published: June 17, 2025

Learn More

Swedish automotive giant Scania is reporting a cybersecurity incident targeting its Financial Services division which handles commercial vehicle insurance claims and related financial services.

The attack was caused by compromised credentials belonging to an external IT partner, which were stolen through infostealer malware. The breach was discovered after threat monitoring platform Hackmanac spotted a hacking forum post by a threat actor named 'hensi,' selling data they claimed to have stolen from 'insurance.scania.com,' offering it to a single exclusive buyer.

Exposed data includes:

Insurance claim documents
Personal information of claimants
Financial details related to insurance claims
Medical information (potentially, given the nature of accident claims)
Vehicle identification numbers (VINs)
Customer identities and contact information

The number of affected individuals is not disclosed.

The attacker sent emails from proton.me to a number of Scania employees threatening to publish the data. A follow-up email with similar content came later from an unrelated third party whose email had been compromised.

The compromised Scania application is no longer reachable online, and an investigation into the incident has been launched. Scania claims that the breach had limited impact and that it notified privacy authorities regarding the incident.

Scania confirms cyberattack and data breach of their corporate insurance division

Read More
Canton Municipal Court reports data breach of Stark …
The official Twitter account of the SEC compromised, …
Car dealer JCT600 reports potential security breach
Data breach at Easol affects Brighton Pride 2024 …
Tokai Carbon reports data breach exposing data of …