Massy Stores is cur­rent­ly in­ves­ti­gat­ing claims that an in­ter­na­tion­al ran­somware group has dumped over 700,000 its files, re­veal­ing the per­son­al in­for­ma­tion of staff and cus­tomers fol­low­ing a hack at­tack ear­li­er this year.

A cy­ber­se­cu­ri­ty ex­pert who ver­i­fied the doc­u­ments has re­vealed that the Hive Ran­somware group has dumped 87,550 fold­er and 704,047 cor­po­rate files, al­leged­ly be­long­ing to Massy Stores.

The ex­pert de­scribed it as “the largest Caribbean da­ta breach dump to date.”

Guardian Me­dia Ltd has been able to down­load sev­er­al of the doc­u­ments which in­clud­ed wire trans­fer in­for­ma­tion, in­voic­es, cus­tomer ac­count num­bers and iden­ti­fi­ca­tion.

On April 28, Massy Stores con­firmed that it was the tar­get of a cy­ber­se­cu­ri­ty at­tack which led to the tech­ni­cal dif­fi­cul­ties ex­pe­ri­enced at all of its stores across the coun­try.

“The com­pa­ny took im­me­di­ate ac­tion, sus­pend­ing all cus­tomer-fac­ing sys­tems, and has been work­ing with third par­ty ex­perts to re­solve the sit­u­a­tion. Back­up servers were not af­fect­ed and the tech­ni­cal team is ac­tive­ly work­ing with the ex­pert teams to re­store the sys­tem safe­ly and in the short­est time pos­si­ble,” Massy stat­ed in a re­lease then.

“The com­pa­ny is not aware of any ev­i­dence at this time that any cus­tomer, sup­pli­er or em­ploy­ee da­ta has been com­pro­mised or mis­used as a re­sult of the sit­u­a­tion,” it stat­ed.

On its dark web­site Hive stat­ed that it ex­e­cut­ed en­cryp­tion on da­ta on Massy Stores’ serves at 9.37 am on April 28.

How­ev­er it has now been re­vealed that more than five months af­ter that hack­ing in­ci­dent a da­ta dump has oc­curred on the Hive dark web­site.

That da­ta dump took place on Tues­day.

The hack­ers pub­licly dumped staff salaries, pho­tos, per­son­al de­tails, copies of cus­tomers’ pass­ports as well as in­ter­nal au­dit doc­u­ments and oth­er fi­nan­cial in­for­ma­tion from the com­pa­ny.

Al­though the at­tack ac­tu­al­ly hap­pened in April the hack­ers are said to have “rinsed” the da­ta by go­ing through it to see what they could have ben­e­fit­ed from be­fore re­leas­ing it.

“Nor­mal­ly they would re­lease it much soon­er, usu­al­ly with­in two weeks, but I think be­cause of the kind of in­for­ma­tion they got it took them a while be­cause the hack­er group I be­lieve that they went through the da­ta re­ceived to see what they could ben­e­fit from be­fore re­leas­ing it to the pub­lic. So I think that is why they took so long,” the ex­pert stat­ed.

It is be­lieved that the da­ta re­leased in the dump was used to ef­fect an­oth­er ram­somware at­tack on the Massy group.

Five days af­ter the da­ta dump Massy Ja­maica Dis­tri­b­u­tion Ltd was the vic­tim of a re­cent ran­somware at­tack.

Fol­low­ing that at­tack 17 gi­ga­bytes of da­ta from Massy Ja­maica Dis­tri­b­u­tion Ltd was dumped on the in­ter­net on Oc­to­ber 9.

It is be­lieved that oth­er at­tacks may oc­cur as a re­sult of the da­ta dump.

Ac­cord­ing to the ex­pert the dump­ing of the da­ta sug­gests that Massy Stores may not have paid the pay the ran­som which caused the da­ta dump on the dark web.

By yes­ter­day the web­page was re­moved to down­load the files. The ex­pert stat­ed that this sit­u­a­tion pos­si­bly meant that Massy Stores had even­tu­al­ly paid the ran­som be­cuase the hack­ers had re­moved the web page to down­load the com­pa­ny’s files.

How­ev­er the di­rect link to the files on the serv­er was still ac­ces­si­ble.

“Based on the da­ta ex­posed, it can be used for iden­ti­ty theft, fraud and oth­er ma­li­cious pur­pos­es,” the ex­pert stat­ed.

The ex­pert said Massy Stores will need to in­form those who have been af­fect­ed.

“The com­pa­ny will need to tell them. They would not know un­less the com­pa­ny tells them. So the first thing should be that the com­pa­ny should dis­close if da­ta was ex­posed,” the ex­pert stat­ed.

“It might not be re­al­is­tic for them to tell every­one in­di­vid­u­al­ly who was af­fect­ed but they will have to make a gen­er­al state­ment and warn cus­tomers and staff to be ex­tra vig­i­lant, the ex­pert stat­ed.

The ex­pert said Massy can­not put its head in the sand with re­spect to this sit­u­a­tion as doc­u­ments bear­ing the com­pa­ny’s mark­ings in­clud­ing PDF and scanned doc­u­ments are now avail­able on the dark web.

“It’s not hearsay you can ac­tu­al­ly see it. The doc­u­ments are valid,” the ex­pert stat­ed.

The ex­pert stat­ed that every sin­gle em­ploy­ee both past and present as well as sup­pli­ers need to as­sess any pre­vi­ous cy­ber at­tacks, fraud they might have ex­pe­ri­enced.

“What is most wor­ry­ing is that so far there is no pub­lic ad­mis­sion of the de­c­la­ra­tion of the stolen files by the vic­tim com­pa­ny which comes down to the top­ic of ethics,” the ex­pert stat­ed.

“Should such a large scale da­ta dump of peo­ple’s per­son­al da­ta be kept pri­vate from the pub­lic or vic­tims de­spite da­ta pro­tec­tion laws re­quir­ing de­c­la­ra­tion?” the ex­pert stat­ed.

When con­tact­ed for com­ment on the is­sue Can­dace Ali, as­sis­tant vice pres­i­dent, mar­ket­ing and com­mu­ni­ca­tions for Massy Stores said the sit­u­a­tion was be­ing in­ves­ti­gat­ed.

“We can­not con­firm the ac­cu­ra­cy of this in­for­ma­tion at this time. We will fur­ther ad­vise on our find­ings, once we have more in­for­ma­tion com­ing out of our in­ves­ti­ga­tions,” Ali stat­ed.

Hive, which was first ob­served in June 2021, is an af­fil­i­ate-based ran­somware vari­ant used by cy­ber­crim­i­nals to con­duct ran­somware at­tacks.

Hive is built for dis­tri­b­u­tion in a ran­somware-as-a-ser­vice mod­el that en­ables af­fil­i­ates to utilise it as de­sired.

The hack­ers pub­licly dumped the fol­low­ing for the en­tire in­ter­net to ac­cess:

87,550 fold­ers and 704,047 files.

Fi­nance (ac­counts re­ceiv­able, ac­counts payable, bud­get, bank­ing, fi­nan­cial state­ments, in­ter­nal au­dits)

HR (staff pho­tos, sur­veys, staff list­ings, job de­scrip­tions, events, claims, per­son­al da­ta)

Op­er­a­tions (month­ly pay­roll up to April 2022, store au­dits, store per­for­mance, bud­gets)

Prop­er­ty man­age­ment (strate­gic man­age­ment doc­u­ments)

Client Back­ups (back­ups of da­ta on end-users’ sys­tems)

Copies of peo­ple’s pass­ports.