Skip links

Nestlé says it leaked its own test data, not Anonymous

Nestlé, which is to stop selling KitKats and other brands in Russia, says corporate data leaked online this week by Anonymous was not stolen nor all that useful.

The hacktivist group boasted it had obtained and dumped on the internet 10GB of the multinational’s records, including emails, passwords, and customer information, leading some to assume it was stolen during a network intrusion. However, Nestlé told The Register the data is not real or sensitive, wasn’t stolen, and was accidentally leaked by itself via one of its own websites.

“This claim of a cyber-attack against Nestlé and subsequent data leak has no foundation,” a spokesperson for the biz told us.

“It relates to a case from February this year, when some randomized and predominantly publicly available test data of a B2B nature was unintentionally made accessible online for a short period of time on a single business test website. We quickly investigated and no further action was deemed necessary. Cyber security is one of our top priorities. We continuously monitor the IT landscape and take all actions needed to ensure we stay cybersecurity-resilient.”

That 10GB of data is actually a 6MB download that unpacks to less than 100MB of plain-text SQL database dumps. These primarily list what’s said to be purchase orders from stores and Nestlé partners. A lot of the data appears to be made-up, complete with @example.com addresses, or uses publicly available information, such as the street addresses of shops and other vendors. There are a handful of real-looking email addresses in there, mainly Nestle.com ones, and one or two from what appears to be an IT supplier for the multinational.

It does seem to be, as Nestlé said, test data rather than a full-blown internal leak.

Separately, in a statement posted to its website on Wednesday, Nestlé voiced its support for Ukraine and its 5,800 employees who work in the country. The biz said it was mostly cutting ties with Russia amid President Putin’s invasion of his neighboring nation.

“As the war rages in Ukraine, our activities in Russia will focus on providing essential food, such as infant food and medical/hospital nutrition — not on making a profit,” Nestlé said. Any profit it does generate will be donated to humanitarian relief efforts, the company added.

“Going forward, we are suspending renowned Nestlé brands such as KitKat and Nesquik, among others,” the statement continued. “We have already halted non-essential imports and exports into and out of Russia, stopped all advertising, and suspended all capital investment in the country.”

The global food-equivalent giant’s stance on Russia came a few days after Anonymous called on “all companies” to halt sales and operations in the nation “Pull out of Russia! We give you 48 hours to reflect and withdraw from Russia or else you will be under our target!” the group tweeted, along with an image showing logos of more than 40 brands including Nestlé, Burger King, Cloudflare, and Citrix.

Some logos on the list, including Bridgestone Tires and Halliburton reportedly heeded the warning.  

And on Monday, Anonymous claimed to make good on its threats against Nestlé with a data dump:

Though as we’ve seen, it’s pretty much fake.

Is pro-Ukraine mischief ok?

As Russian aggression against Ukraine continues, hacktivists and cyber-criminals on both sides have sought to derail websites and networks, depending on where the gangs’ and developers’ loyalties lie.

Russia-based ransomware group Conti, for example, after pledging its loyalty to the Kremlin, suffered a massive security breach of its own at the hands of a Ukrainian techie. 

And last week, the developer of JavaScript library node-ipc deliberately introduced a critical security vulnerability that, for Russian and Belarusian netizens, would destroy their computers’ files by overwriting them with a heart emoji.

The programmer, Brandon Nozaki Miller, aka RIAEvangelist on GitHub, later revised his code to instead save a message of calling for peace, not war, on users’ desktops, and claimed the stunt was a “non-violent protest against Russia’s aggression.”

This and other cyber incidents have sparked a debate about whether Ukrainians and others who oppose the Russian war are justified in launching cyberattacks and online mischief against the invading country. 

A poll of “security experts” conducted by The Washington Post found 47 percent of respondents said launching offensive hacks against the Russian government is justified, while 53 percent said they aren’t.

The publication quoted Michael Daniel, who led the Obama administration’s cyber team and now serves as president of the Cyber Threat Alliance, as saying: “When a country faces an existential threat like what Russia poses to Ukraine, cyber volunteers are justified in launching offensive cyber operations against the attacking government, just like volunteers are justified in taking up physical arms to resist attackers.” ®

Source