Scania, the popular Swedish company known for making heavy trucks and buses, has confirmed that it was recently hit by a cyberattack. The incident involved a data breach in its insurance claim systems, and the attackers tried to extort the company by demanding ransom in exchange for not leaking sensitive information.

The attack happened between May 28 and 29, 2025. Cybercriminals managed to access Scania’s systems using stolen login credentials. These credentials did not belong to a Scania employee, but rather to an external IT partner. According to the investigation, the credentials were most likely stolen by malware known as an “info-stealer” and then passed on or sold to the attackers.

Once the attackers had access, they were able to log into Scania’s insurance claims portal. They downloaded confidential documents that are believed to contain sensitive details, including names, personal information, financial data, and possibly even medical records linked to insurance claims. The company has not yet confirmed how many individuals were affected.

On May 30, just one day after the files were stolen, the attackers began sending ransom emails to Scania employees. They used a ProtonMail account, which allows anonymous communication. In the emails, the attackers threatened to publish the stolen data unless their demands were met. To prove they had access, they attached screenshots showing actual insurance claim data from Scania’s system.

Later that same day, another email was sent using a different system that had also been compromised. This second message included three sample documents taken from the stolen data. This move made it clear that the threat was serious, and that the attackers had real access to private company files.

Adding to the pressure, a hacker calling themselves “hensi” posted a message on an underground hacking forum. In the post, the hacker offered to sell the stolen Scania data and included a preview screenshot. They claimed they were accepting bids for the files. This showed that the attackers were ready to profit from the data, whether or not Scania responded to their ransom threats.

Scania took quick action after discovering the breach. The affected portal, insurance.scania.com, was taken offline immediately. The company also began working with cybersecurity experts to investigate the attack and improve its security systems. Scania clarified that only the external partner’s login was compromised, and that their own internal systems were not directly breached.

The company has reported the incident to relevant privacy authorities and is taking steps to make sure something like this doesn’t happen again. They are especially focusing on strengthening the way third-party partners access their systems.

This case highlights a common tactic used by hackers today: targeting large companies by going after smaller partners or vendors. Even if a company like Scania has strong cybersecurity, it can still be at risk if one of its partners is not well protected.

Scania says the damage appears limited so far, but the full investigation is still ongoing. This attack is a clear reminder that cybersecurity needs to be taken seriously at every level, from internal systems to third-party access.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news