Tegut Data Breach (2021)

The German supermarket chain “tegut” was recently the target of a cyberattack (source in German) and on April 24 the company activated emergency procedures that shut down their entire central IT network and disconnected it from the internet. While done to limit the exposure of sensitive data, these measures also had side effects including gaps in their supply chain and other services that lasted for weeks. Despite these mitigation efforts, the attackers have already begun to publish company and customer data on the dark web. Tegut is a Swiss-owned supermarket chain that operates about 280 stores across central and southern Germany. They have had an annual turnover of over 1 billion EUR every year since 2017. What kind of data was affected? According to a press release from May 27, the attackers began publishing answers that customers had given to market research surveys, primarily those who were members of their customer rewards program “GuteKarte”. The leaks also included personal data, including home addresses, email addresses, and telephone numbers. A week before that, it was announced that company data had been published online. According to the press release from May 18, it could not be ruled out that the affected company data included personal data of employees. What services were affected during the shutdown? Due to the emergency shut down, customers and employees experienced the following issues: The email server was shut down so requests couldn’t be sent requests to the company per email. This service was restored on May 9. Certain products were unavailable for a time because the central logistics program was taken offline and wasn’t able to automatically process the need for restocking. Stores had to manually track their stock and, while the email server was shut down as well, restocking orders had to be placed via telephone. Most types of gift certificates couldn’t be purchased or processed for payment until May 21. Certain areas of their website had to be deactivated, including the customer login portal, which came back online on May 25 and required customers to change their passwords. What motivated the attack? The company has suggested that the incremental release of the stolen data by attackers is intended to increase “pressure” on them. In the press release following the second publication of stolen data, the company’s CEO commented (translated from German), “we will not reward criminal activity and we will not enter into negotiations with criminals. It is clear to us that the attackers are now increasing the pressure on [our company] and want to provoke uncertainty among our customers, employees, and suppliers in order to assert their demands.” It was not revealed in the press release what those demands are. How has the company responded? Emergency protocols were activated on April 24 which involved shutting down the company’s central IT network and disconnecting it from the internet. Since then, regular press releases have been published and chronicled on their website. Customers were asked to change their passwords before logging back into their online portal. The breach has been reported to the authorities and affected customers have been notified. A new logistics app has been released ahead of schedule that enabled stores to begin restocking their shelves as quickly as possible.