A cyberattack on Naivas, one of Kenya’s leading supermarkets has not only dented the firm’s online security standing but also raised a red flag that such security threats are not being identified and resolved in a timely manner.

It has also signaled the need to enhance firewalls among companies in the country. The retailer said the hackers breached security to access servers and systems in a move that may have exposed customer data to possible manipulation.

Data from Communication Authority of Kenya (CA) shows that cyber threats increased by 2000 per cent between July to September 2022.

“This unlawful intrusion may have compromised some of our data. Naivas has contained this attack and our systems are secure and our operations are normal,” said Naivas Chief Operating Officer Williy Kimani in a statement.

The revelation has revealed how the cyber security threats are now growing from banks and telcos, making supermarkets the new hunting grounds in what highlights the rising risk as the country adopts technology across the board.

Mobile platforms

Banks and telcos are known to have more strong security measures, but other industries still lag behind. On average, there have been more than 1,450 attacks per week in the country, according to Check Point Software 2022 Security Report. “This trend will likely continue over the coming months as more threats start coming from cloud and mobile platforms,’ it says.

Naivas said that they had been the target of a ransomware attack by a Threat Actor, an online criminal group. While the retailer acknowledged that some of their data may have been exposed, they claimed to have effectively confined the incident, made their systems secure, and resumed normal business activities.

Naivas has reassured customers that their credit card and debit card information is secure following cyber-attack that highlights how attackers are spreading their reach outside the financial sector.

The supermarket acknowledged that they do not keep any credit card or debit card information on their systems and that such payment information is handled safely and safeguarded by Secure Sockets Layer (SSL).

Kimani explained that on becoming aware of the attack, Naivas took immediate steps to prevent external access and engaged leading cybersecurity experts CrowdStrike to ensure system integrity, adding that this process is complete and the systems are secure.

“We are co-operating with the relevant law enforcement agencies, as they investigate this and the many current ransomware attacks in Kenya,” he added.

In addition, they are assisting law enforcement with their investigation of the event and other recent ransomware assaults in Kenya. “At this moment, we are not aware of any malicious use of stolen data. However, it is recommended in the face of this type of situation to pay particular attention to any phishing attempts by phone, SMS or email as well as to the sufficient security of passwords,” said Kimani.

He said the Office of the Data Protection Commissioner Kenya has been informed of the occurrence, and Naivas and security authorities are constantly monitoring the issue.

The supermarket business reaffirmed that they take the security of customer information extremely seriously and that they are doing everything they can to fix the issue and stop similar events from happening in the future.

Personal data

They appealed to clients to be watchful and adopt the required safety measures to safeguard their personal data, notably against phishing attacks.

The Communications Authority of Kenya reported that  92.8 million cyber threat incidences were received by the National Kenya Computer Incidence Response Team in the quarter ended June 2022, with 1.9 million advisories issued to various targeted stakeholders.

During the inaugural Africa Cybersecurity Congress, panellists noted that online businesses and payment portals are the latest targets for cybercriminals.