Naivas alongside many corporates and organisations in and outside Kenya was the victim of a ransomware attack by an online criminal organization (Threat Actor).
In a statement, Naivas said that the attack has been contained, and its systems are secure and operations are normal.
“On becoming aware of the attack, Naivas took immediate steps to prevent external access and engaged leading cybersecurity experts CrowdStrike to ensure system integrity. This process is complete and our systems are secure,” Naivas Chief Commercial Officer Willy Kimani said.
Kimani denied claims that the hackers had infiltrated and stolen customer data including credit/debit card information, saying such information is not stored in their systems.
“Naivas does not hold any credit card or debit card information on its systems, and such payment
information is handled securely and protected through Secure Sockets Layer (SSL) encryption. For mobile money, Naivas only records the related transactional information as is customary for all mobile money
transactions in Kenya,” the retailer said.
Also, the retailer said that customer loyalty points were not affected by the attack.
“Customers can continue to earn and redeem points as per normal. No point balances have been lost. Naivas holds personal information for its loyalty card members. This information as supplied by its customers includes; name, ID number, telephone number, email address, and home address. Note we do not hold payment details for any of our customers on our systems,” Kimani added.
As a result of the ransomware attack, Kimani said the Threat Actor had access to some of Naivas’ data.
The Threat Actor claims to have stolen data and is threatening to leak this data online. Such data may include customer personal information.
“At the moment, we are not aware of any malicious use of stolen data. However, it is recommended in the face of this type of situation to pay particular attention to any phishing attempt (by phone, SMS or email) as well as to the sufficient security of your passwords (in case of doubt about the possible recovery of a password following a cybersecurity incident, it is recommended to modify it). Customers should never share passwords or PIN numbers over the phone or email,” the retailer said.