Scania has reported a cybersecurity incident. Malicious parties gained access to Scania Financial Services’ systems using stolen login details. They stole documents relating to insurance claims.
According to Scania, the attackers sent emails to several company employees. The attackers threatened to publish the stolen data online if their demands were not met.
Scania is a large Swedish manufacturer of heavy trucks, buses, and industrial and marine engines. It is part of the Volkswagen Group.
At the end of last week, the threat monitoring platform Hackmanac spotted a message on a hacker forum from someone named ‘hensi’. That person offered data for sale that had allegedly been stolen from ‘insurance.scania.com’. hensi is offering the data exclusively to one buyer.
Login details of external IT partner
Scania confirmed to BleepingComputer that the system was compromised on May 28, 2025, using login details from an external IT partner. The data was stolen using so-called infostealer malware. According to a Scania spokesperson, there was a security incident within the insurance.scania.com application, which is managed by the IT partner.
On May 28 and 29, an attacker used the login credentials of a legitimate external user to gain access to a system that the manufacturer uses for insurance purposes. The current assumption is that these login credentials were stolen using malware that steals passwords. Documents related to insurance claims were downloaded using the compromised account.
Such documents are likely to contain personal and potentially sensitive financial or medical data. This could have a significant impact on those affected. It is not yet known how many people have been affected.
The breach was followed by a blackmail phase in which Scania employees were contacted directly via a proton.me email address. The attackers attempted to put pressure on the company and later published examples of the stolen data on hacker forums.
On May 30, the attacker sent emails from a proton.me address to several Scania employees, threatening to disclose the data. This was followed by a similar email from a third party whose email address had been taken over. Ultimately, the data was leaked by someone named Hensi.
The affected application has since been taken offline and an investigation into the incident has been launched. Scania said that the impact of the data breach was limited and that the authorities responsible for data protection had been notified.