Here is the complete intel brief.

title: "Shwapno: Ransomware Data Breach Exposing 4 Million Customers" date: 2026-06-29 slug: shwapno-supermarket-data-breach-ransom

Shwapno: Ransom-Driven Breach of Bangladesh's Largest Grocery Chain

Shwapno, the largest supermarket chain in Bangladesh and a subsidiary of conglomerate ACI Limited, has suffered a data breach exposing the personal details of roughly 4 million (40 lakh) customers, according to reporting from Alarkani. Attackers behind the intrusion are demanding a $1.5 million ransom. The compromise reportedly began in December but went undetected for approximately three months, and the company has not yet issued a public statement on the incident.

What Happened

According to the source reporting, attackers gained access to Shwapno's customer data systems in December. The breach went undetected for roughly three months before being identified, a dwell time that gave the intruders extended freedom to access, copy, and exfiltrate customer records.

Following the intrusion, the attackers issued a ransom demand of $1.5 million. Shwapno has reportedly declined to negotiate or pay. The company is said to be working with forensic experts and law enforcement to investigate the breach and harden its defenses, but as of reporting it had not released a public statement acknowledging the incident to affected customers.

The exposure was severe enough that, per the reporting, one customer was able to pull up the detailed purchase history and transaction data of a family member simply by entering a phone number, indicating that sensitive records were broadly and trivially accessible.

What Was Taken

The breach reportedly affects approximately 4 million customers. Based on the reporting, exposed data includes:

• Customer personal details and contact information, including phone numbers
• Detailed purchase histories
• Transaction data

Purchase and transaction histories are particularly sensitive because they reveal behavioral patterns, spending habits, household composition, and location indicators tied to specific individuals. Combined with phone numbers and personal identifiers, this data is well suited to targeted phishing, social engineering, and fraud campaigns.

Why It Matters

This incident is a clear illustration of how retail and grocery chains have become high-value targets. Supermarkets accumulate massive volumes of loyalty, contact, and transaction data while often underinvesting in security relative to the sensitivity of what they hold.

The three-month detection gap is the central failure here. Extended dwell time is the difference between a contained incident and a full-scale data exfiltration, and it signals gaps in monitoring, logging, and alerting. The reported ability to retrieve another person's records using only a phone number further points to weak access controls or an exposed interface, not merely a server-side theft.

For the broader region, this case underscores the rising tempo of cybercrime in South Asia and the reputational and regulatory consequences of slow, opaque breach communication. The absence of a timely public statement compounds customer risk, because affected individuals cannot take protective action against fraud they do not know to expect.

The Attack Technique

The source reporting does not specify the precise initial access vector or the identity of the threat actor. What is described is consistent with a data theft and extortion operation: the attackers obtained access, exfiltrated a large customer dataset, and then leveraged it for a monetary ransom demand rather than, or in addition to, encryption.

The reported scenario in which a customer could access another person's transaction history via a phone number suggests a possible insecure direct object reference or a broken access control weakness in a customer-facing system. If such an interface existed, it may have offered a low-effort path to enumerate and harvest records at scale. This remains unconfirmed pending the forensic investigation.

What Organizations Should Do

• Audit customer-facing lookups and APIs for broken access controls and insecure direct object references; ensure a user can never retrieve another customer's data by changing an identifier such as a phone number.
• Reduce detection and response time by deploying centralized logging, anomaly detection, and alerting on large or unusual data access and exfiltration patterns, so a December intrusion is not discovered in March.
• Minimize and segment retained data; do not keep granular transaction histories indefinitely, and isolate sensitive datastores from internet-facing applications.
• Prepare and rehearse an incident response and breach notification plan so customers can be informed quickly and given guidance on phishing and fraud, rather than left uninformed for months.
• Enforce strong authentication, least-privilege access, and encryption of sensitive customer data at rest and in transit.
• Establish a clear, pre-decided policy on ransom demands in coordination with legal counsel and law enforcement, and validate offline, tested backups so operational recovery never depends on an attacker.

Sources: Shwapno Data Breach: 40 Lakh Customers' Details Exposed! Hackers Demand $1.5M Ransom! (2026)