Hackers have demanded a $1.5 million ransom following a major cyberattack
The company said that no customers’ sensitive financial information was compromised.
In one of the largest corporate cyberattacks in Bangladesh, the country’s leading supermarket chain Shwapno has confirmed a breach of its customer database, with hackers demanding a ransom of $1.5 million. The issue surfaced after sensitive customer details—including names, mobile numbers, and purchase histories—began circulating on social media, triggering widespread concern among users.
A subsidiary of ACI Limited, Shwapno operates more than 800 outlets across 63 districts and serves over 4 million registered customers, highlighting the nationwide scale of the breach.
Company officials said the attackers had gained unauthorised access to the system months earlier, with signs suggesting the intrusion may date back to late 2025. The ransom demand was reportedly issued in August last year.
Managing Director Sabbir Hasan Nasir said the company has refused to meet what it described as “illegal and unethical” demands, maintaining a strict stance against paying cybercriminals.
In its official response, the company said it immediately initiated an internal audit under the supervision of ACI’s management information systems (MIS) division and introduced preventive measures to secure its infrastructure. It also stated that no sensitive financial information of customers had been compromised.
Shwapno added that it has strengthened its cybersecurity framework by deploying advanced firewall systems, enterprise-grade server protection, and round-the-clock network monitoring by both local and international specialists.
The company is working closely with the Counter Terrorism and Transnational Crime (CTTC) unit of Dhaka Metropolitan Police, along with forensic experts, to investigate the breach and bring those responsible to justice. A case is currently being processed in the Tejgaon Industrial Area.
Despite these steps, concerns remain over the delay in informing customers, as the breach appears to have occurred months before it was publicly disclosed.
Cybersecurity analysts warn that the leaked data—particularly purchase histories and phone numbers—could be used for targeted phishing attacks and fraud.
Customers have been advised to avoid sharing personal or financial information through unsolicited calls or messages and to remain cautious when clicking on suspicious links.
The company has urged users to stay alert, reiterating that it never requests passwords or one-time codes over phone calls.
What's Your Reaction?
