The incident occurred on 28 and 29 May, targeting the subdomain insurance.scania.com, which has since been taken offline. According to Scania, the system was operated by a third-party IT provider. The attackers exploited login credentials belonging to a legitimate external user, likely obtained via password-stealing malware.
“We can confirm there has been a security-related incident in the application ‘insurance.scania.com’, the application is provided by an external IT partner,” a Scania spokesperson told BleepingComputer. “Our current assumption is that the credentials used by the perpetrator were leaked by a password stealer malware.”
The compromised account was used to access and download claim-related documents. Threat actor “Hensi” later claimed responsibility, offering to sell 34,000 stolen files on a cybercrime forum. The attacker also sent extortion emails to Scania employees using a ProtonMail address. A follow-up email was sent from a third party whose account had also been compromised.
The company says the breached application has been disabled and privacy authorities have been notified. An internal investigation is ongoing.
Security experts warn that the use of stolen credentials remains a common attack vector.
Commenting on the incident in Security Magazine, Erich Kron, Security Awareness Advocate at KnowBe4, said:
“Stolen credentials continue to be a significant security concern and were used in this attack.” He added that phishing-resistant multi-factor authentication could greatly improve account security — not only for internal accounts but also for third-party users with occasional access.
