Schneider Electric confirms breach after hacker claims to have 40GB of stolen data

Schneider Electric has confirmed it suffered a breach after a hacker claimed to have stolen data from the firm’s Jira server.

In a statement provided to ITPro, the firm said it was currently looking into an intrusion on one of its project management platforms.

“Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment.”

The company confirmed that its products and services remain unaffected, adding that its global incident response specialists were immediately mobilized to respond to the incident.

Schneider Electric operates in over 100 companies across a number of industries, providing electrification, digitization, automation, and installation solutions.

The incident was first brought to light on 2 November when the HellCat ransomware collective posted to their leak site on the dark web claiming to have breached Schneider Electric’s infrastructure.

“Schneider Electric, a leader in energy management and automation with annual revenue exceeding $40 billion, is now at risk of exposing sensitive customer and operational information,” the listing claimed.

The group, who recently took responsibility for an attack on the Jordanian Ministry of Education, said it compromised critical data including projects, issues, and plugins, as well as over 400,000 rows of user data.

In total, HellCat allegedly stole over 40GB in compressed data, which it said it will publicly disclose if its $125,000 ransom demands are not met, sarcastically adding the French company should pay in baguettes.

The listing added that if Schneider Electric confirmed the breach the ransom would be decreased by 50%, directly addressing the firm’s new CEO Olivier Blum.

Hacker taunts Schneider Electric online

A threat actor under the name ‘Grep’, who claims to be part of the group responsible for the breach, publicly goaded Schneider Electric on social media, posting a sample of the data stolen from the firm’s developer platform.

According to reports, the collective used exposed credentials to access Schneider Electric’s Jira server, and then used a MiniOrange REST API to extract the 400,000 rows of user data.

Grep added that the data included 75,000 unique email addresses and full names of Schneider Electric employees and customers.

The threat actor claimed it was part of a newly formed hacking collective called the International Contract Agency (ICA).

It said that if Schneider Electric did not acknowledge the breach within 48 hours of it announcing the incident, it would disseminate the stolen data.

The incident marks the second attack on Schneider Electric in nine months following a ransomware attack on the firm’s sustainability division by the Cactus threat collective.

The gang claimed to have stolen around 1.5TB of data, after uploading 25MB of stolen data, including images of US citizens passports and scans of non-disclosure agreements, to its dark web leak site to establish the veracity of its claims.

The firm said the attack was limited to its sustainability division, adding that it had informed potentially at-risk customers of the breach.

ITPro approached Schneider Electric for further information on which users may be impacted in this latest breach, but did not receive clarification.