<div id="post_message_797929">

Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.<br/>
<br/>
Scania told BleepingComputer that the attackers emailed several Scania employees, threatening to leak the data online unless their demands were met.<br/>
<br/>
Scania is a major Swedish manufacturer of heavy trucks, buses, and industrial and marine engines and is a member of the Volkswagen Group.<br/>
<br/>
The company, which is known for its durable fuel-efficient engines, employs over <a href="https://www.scania.com/group/en/home/about-scania/scania-in-brief/facts-and-figures.html" target="_blank">59,000 people</a> and has an annual revenue of $20.5 billion, selling over 100,000 vehicles yearly.<br/>
<br/>
Late last week, threat monitoring platform <a href="https://x.com/H4ckmanac/status/1933102217562562836" target="_blank">Hackmanac spotted</a> a hacking forum post by a threat actor named 'hensi,' who is selling data they claimed to have stolen from 'insurance.scania.com,' offering it to a single exclusive buyer.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/June/forum-post.png"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Threat actor's post on underground forums. Source: @H4ckmanac | X

</td>
</tr>
</table>
</div>Scania confirmed the breach to BleepingComputer, stating that their systems were breached on May 28, 2025, using an external IT partner's credentials stolen by infostealer malware.<br/>
<br/>
"We can confirm there has been a security related incident in the application "insurance.scania.com", the application is provided by an external IT partner," stated a Scania spokesperson.<br/>
<br/>
"On the 28th and 29th of May, a perpetrator used credentials for a legitimate external user to gain access to a system used for insurance purposes; our current assumption is that the credentials used by the perpetrator were leaked by a password stealer malware."<br/>
<br/>
"Using the compromised account, documents related to insurance claims were downloaded."<br/>
<br/>
Insurance claim documents are likely to contain personal and possibly sensitive financial or medical data, so the incident could have a significant impact on those affected. At this time, the number of exposed individuals remains undefined.<br/>
<br/>
The breach was followed by an extortion phase where the attackers contacted Scania employees directly using a @proton.me email address to extort the company, following up with the publication of samples of the stolen data on hacking forums.<br/>
<br/>
"Early on the 30th (CEST) the attacker sent emails from proton.me to a number of Scania employees threatening to disclose the data."<br/>
<br/>
"A follow-up email with similar content came later from an unrelated 3rd party whose email had been compromised. The data was later leaked by an actor named Hensi."<br/>
<br/>
The compromised application is no longer reachable online, and an investigation into the incident has been launched.<br/>
<br/>
Meanwhile, Scania told BleepingComputer that the breach had limited impact and that it notified privacy authorities regarding the incident.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/scania-confirms-insurance-claim-data-breach-in-extortion-attempt/" target="_blank">@ BleepingComputer </a>
</div>