Recommended reading

Scania hit by cyberattack - thousands of customers potentially affected, here's what we know

News
By published

Hackers are trying to sell Scania's files on the dark web

Code Skull
(Image credit: Shutterstock)
  • An external IT partner to Scania lost its login credentials through an infostealer
  • The hackers used the password to access Scania and steal files
  • They asked the company for money, and later offered the archive for sale

Swedish automotive manufacturer Scania has confirmed suffering a cyberattack which saw it lose sensitive customer data.

Security researchers Hackmanac found a new thread on a dark web forum, in which a database allegedly stolen from ‘insurance.scania.com’ was being offered for sale to an exclusive buyer for an unknown sum of money.

“hi guys. we hacked new target and selling full attachment of 'insurance.scania.com'. Full attached files is 34,000 and first time hacked + just will 1 hand sell,” the ad, published in both English and Russian, reads. “few pic attached with remarks (for no one cant copy and scam people).”

Save up to 52% off Lifelock Identity Theft Protection!

Save up to 52% off Lifelock Identity Theft Protection!

Your personal info is in endless places. And any one of them could accidentally expose you to identity theft. That's why LifeLock monitors hundreds of millions of data points a second for identity theft. LifeLock. For the threats you can't control.

Preferred partner (What does this mean?)

View Deal

Supply chain attack

After the thread was posted, Scania confirmed the authenticity of the claims, saying it was breached in late May 2025 as part of a supply chain attack which originated at an external IT partner.

"We can confirm there has been a security related incident in the application "insurance.scania.com", the application is provided by an external IT partner," a Scania spokesperson said.

"On the 28th and 29th of May, a perpetrator used credentials for a legitimate external user to gain access to a system used for insurance purposes; our current assumption is that the credentials used by the perpetrator were leaked by a password stealer malware."

"Using the compromised account, documents related to insurance claims were downloaded."

Although the company did not detail what information was found in the stolen files, it’s safe to assume that it is sensitive, possibly financial, or medical. The number of affected individuals is also unknown for now.

After stealing the archives, the threat actor tried to extort Scania for money, reaching out on multiple occasions and demanding a ransom. Since it ended up offering the database for sale on the dark web, we can assume that the company declined the generous offer.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.