Scania Acknowledges Data Breach Involving Insurance Claims Amid Extortion Incident

Scania, a leading automotive manufacturer, has confirmed a significant cybersecurity breach that involved fraudulent access to its Financial Services systems, resulting in the theft of insurance claim documents.

The company reported that threat actors utilized compromised employee credentials to execute the breach and subsequently contacted several Scania employees via email, demanding compliance to prevent the public disclosure of the stolen data.

Headquartered in Sweden, Scania is a renowned manufacturer of heavy trucks, buses, and industrial engines and is affiliated with the Volkswagen Group. It boasts an employee count exceeding 59,000 and achievements that include an annual revenue of $20.5 billion and the sale of over 100,000 vehicles each year.

In a recent observation, a threat intelligence platform identified a post on a hacking forum by an individual using the alias ‘hensi’, alleging the sale of data acquired from Scania’s insurance system and offering it to a single buyer.

Scania acknowledged the incident, confirming that the breach occurred on May 28, 2025, through the exploitation of credentials belonging to an external IT partner, which had been compromised via infostealer malware.

A company spokesperson stated, “We can confirm there has been a security-related incident in the application ‘insurance.scania.com’ provided by an external IT partner. On the 28th and 29th of May, a perpetrator accessed the system using legitimate credentials, presumably leaked through password-stealer malware.” The documents extracted pertained to insurance claims.

These insurance claim documents may contain personal, financial, or medical information, potentially affecting numerous individuals; however, the exact number of individuals impacted is currently unknown.

Following the breach, an extortion attempt ensued, wherein attackers directly contacted Scania employees from a @proton.me email address, demanding ransom and revealing portions of the compromised data on hacking forums.

On the morning of May 30, the attacker issued threats through emails to various Scania employees regarding the possible disclosure of data. This was subsequently followed by similar threats from an unrelated third party whose email was also compromised. The data was disseminated by the actor known as Hensi.

As of now, the affected application has been rendered inaccessible, and an investigation into the incident is currently underway. Scania has indicated that the impact of the breach has been limited, and privacy authorities have been informed of the situation.