Naivas Reports Data Breach

Naivas, Kenya’s largest supermarket chain, on Sunday, announced that it was a victim of a ransomware attack carried out by an online criminal organization.

In a statement released to newsrooms, Willy Kimani, Naivas’ Chief Commercial Officer revealed that the attack may have compromised some of their data.

“Naivas regrets to announce that alongside many corporates and organizations in and outside Kenya, we have been the victims of a ransomware attack by an online criminal organization (Threat Actor). This unlawful intrusion may have compromised some of our data. Naivas has contained this attack, and our systems are secure and our operations are normal,” Kimani said.

He added: “Naivas has been made aware that the Threat Actor has claimed to have stolen some of our data and is alleging that this may be published in due course. We and law enforcement agencies are monitoring this closely. Naivas has also informed the Office of the Data Protection Commissioner Kenya of this incident.”

The supermarket chain said taken immediate steps to prevent external access to its systems and had engaged cybersecurity experts from CrowdStrike to ensure system integrity. The company confirmed that this process is complete and that their systems are now secure.

Although Naivas, which has 84 outlets in Kenya, said it has not yet detected any malicious use of the stolen data, the criminal group responsible for the attack has claimed to have stolen some of the company’s data and has threatened to publish it in due course. Naivas and law enforcement agencies are closely monitoring the situation.

Naivas, however, has reassured customers that they do not hold any credit or debit card information on their systems and that such payment information is securely handled and protected through Secure Sockets Layer (SSL) encryption. The company has advised customers to be vigilant and pay attention to any phishing attempts by phone, SMS, or email, as well as ensure the sufficient security of their passwords.

“We take the protection of personal information very seriously,” Kimani said. “Please accept our deepest apologies for the worry and inconvenience that this criminal activity may cause.”

Naivas said it is currently cooperating with relevant law enforcement agencies as they investigate the attack and other ransomware attacks in Kenya. The company has also informed the Office of the Data Protection Commissioner Kenya of the incident.