Massy Stores and Massy Distribution Trinidad say that the data unlawfully accessed by hackers during a cyber attack in April was “more extensive than the preliminary stages of the investigation indicated.”
“As such, and as a matter of urgency, the company will be taking steps to identify and notify all additional parties whose information may have been unlawfully accessed,” Massy stated in a release yesterday.
The Business Guardian yesterday reported that Massy Stores is currently investigating claims that an international ransomware group had dumped over 700,000 of its files, revealing the personal information of staff and customers following a hack attack earlier this year.
However, it has now been revealed that more than five months after that hacking incident, a data dump has occurred on the Hive dark website. That data dump took place on Tuesday.
A cybersecurity expert who verified the documents revealed that the Hive Ransomware group had dumped 87,550 folders and 704,047 corporate files allegedly belonging to Massy Stores. The expert described it as “the largest Caribbean data breach dump to date.”
Guardian Media has been able to download several of the documents, which included wire transfer information, invoices, customer account numbers and identification.
The hackers publicly dumped staff salaries, photos, personal details and copies of customers’ passports, as well as internal audit documents and other financial information from the company.
On April 28, 2022, Massy Stores and Massy Distribution Trinidad experienced a cyber-security incident.
In an update on their investigation of the matter yesterday, Massy stated, “Responsibility, Honesty, and Integrity are core values of the Massy Group that guide our operations, our people, and how we do business.
“We take very seriously our duty to those we serve. Data privacy and protection, as well as the obligations we have as a data controller in all countries in which we operate, is paramount. In response to the cyber-security incident, we immediately engaged experts in the field to help investigate. As part of the incident response plan, we notified all potentially impacted parties of the incident given the information available to us at the time.”
Massy stated through continued investigations of the cyber-security incident, it is now aware that the data unlawfully accessed by the attackers was more extensive than the preliminary stages of the investigation indicated.
“We would like to caution that much of the information being shared publicly about this cyber-security incident is speculative and inaccurate. We have created official channels for communication and encourage anyone with concerns to contact us directly via the channels listed below,” Massy said.
“We thank our teams for their resilience and commitment to being of service. We also thank our stakeholders who have trusted us for the past 100 years, assured that as companies within the Massy Group, we will always operate from a place of integrity.”
It is believed that the data released in the dump was used to effect another ransomware attack on the Massy Group.
Five days after the data dump, Massy Jamaica Distribution Ltd was also the victim of a recent ransomware attack. Following that attack, 17 gigabytes of data from Massy Jamaica Distribution was dumped on the internet on October 9.
