Shwapno Retail Chain Suffers Data Breach Affecting 4 Million Customers
Learn More
Shwapno, the largest retail supermarket chain in Bangladesh and a subsidiary of ACI Limited, confirmed a data breach and extortion attempt involving its customer database.
The breach was publicly disclosed after portions of sensitive customer information began circulating on social media platforms following the company's refusal to pay a $1.5 million ransom.
The attackers gained access to Shwapno's web infrastructure and backend database, maintaining a presence in the network for several months. The company's managing director stated that they identified the intrusion and attempted to secure the system in August, the threat actors reportedly regained or maintained enough control to disrupt the company's website and database again in December.
The compromised data includes:
- Full customer names
- Mobile phone numbers
- Detailed purchase histories
- Transaction records
The number of affected individuals is approximately 4,000,000. The nature of the attack is not disclosed. The attackers demanded a ransom of $1,500,000 not to release the data, but the company did not pay.
Shwapno engaged the Counter Terrorism and Transnational Crime (CTTC) unit of the Bangladesh Police to lead a criminal investigation. The retailer is also working with domestic and international forensic experts to assess the full extent of the compromise and strengthen its cyber defenses.
Despite the initial breach occurring months earlier, the company did not issue a public warning to its customers until the data appeared online, citing an ongoing effort to secure the database without complying with unethical demands.
