Nestlé headquarters in Route de Lavaux showing cyber attack and data leak

Did Anonymous Carry Out a Cyber Attack on Nestlé? Company Claims Data Leak Was Internal

An odd spat is unfolding between the hacktivism group Anonymous and food & beverage giant Nestlé. A leak of internal company data has appeared, and an Anonymous-affiliated group has claimed responsibility for releasing it. But Nestlé says that the incident is not a cyber attack but an internal data leak, with the information being errantly published to the public-facing web for some weeks before the company realized what was going on.

Anonymous claims cyber attack on Nestlé

Nestlé has drawn the ire of some members of Anonymous as the hacktivists have taken up cyber arms against Russia over the invasion of Ukraine, given that the Swiss company was among those that initially refused to withdraw its products from the Russian market in protest (though as of last week the company has now pulled most of its major brands from the country).

YourAnonTV, an Anonymous-affiliated Twitter account with a substantial following (though not among the largest of these sorts of accounts), claimed last week that 10 GB of data had been stolen from Nestlé and leaked. The account did not provide a link to the full data leak, however, only offering a sample file that it said contained data on about 50,000 of Nestlé’s business partners.

However, nothing beyond that initial sample appears to have ever surfaced. Nestlé was quick to step in and comment, claiming that the data was instead written to a place where it was accessible to the public by accident and that the “hackers” most likely just stumbled across it.

Nestlé says that the data leak stems from a February test of some sort of business-to-business function in the company’s internal network. The data had apparently been made available on the public internet for some weeks before Anonymous made its claim of a cyber attack. The company also countered the Anonymous claim that the data leak contained passwords and sensitive customer information, saying that it consisted only of basic contact information.

The available data sample consisted of under 100 MB of SQL database dumps that appeared to mostly consist of purchase orders, and many of those appeared to be artificially generated (most likely the test that Nestlé was referring to). Several email addresses belonging to Nestlé staff and some of the company’s suppliers may have been real, but that appeared to be the extent of the personal information found in the data leak sample.

Evidence leans more toward internal data leak than external cyber attack

Whether or not the cyber attack is legitimate, Anonymous is continuing their campaign against Nestlé as the company has not fully withdrawn its products from the Russian market.

Nestlé issued a statement indicating that it would keep “essential” food items such as infant formula and products earmarked for hospitals available in the country, withdrawing only its popular snack and beverage brands such as Nesquik and Kit Kat. It said that it will not aim to make a profit (or pay taxes to the Russian government) on these sales and would donate any profit it might make to international humanitarian relief efforts. Nestlé also operates in Ukraine and says that it is maintaining 60% of its prewar volume of food product distribution in the country.

Garret Grajek, CEO of YouAttest, notes that no matter how well-intentioned or seemingly justified vigilantes may be, they are likely breaking international laws and doing unrelated damage with their cyber attacks and data leaks. But ultimately, it remains up to each organization to keep them out: “This anonymous threat on Nestlé is a clear example of how we cannot let hacker groups set international policy on what is proper or improper conduct. It’s the worst kind of kangaroo court for social justice imaginable. It is imperative that enterprises, especially the ones listed out as critical infrastructure by the Biden administration, place a high priority on cyber security – especially principles like zero trust and identity governance that proactively stop the spread of intrusions and alert the enterprise of malfeasance.”

Anonymous is a particularly difficult group to please due to its decentralized nature; just about anyone can fly the “Anonymous” flag in association with their actions, and the only deciding factor in broader acceptance seems to be if the larger Twitter accounts and sources of distribution the group has opt to get behind that action and amplify it as something the collective supports. Attacks associated with Anonymous have mostly focused on the Russian government and on state-run television channels to date, but the group has also shown willingness to attack private businesses and its whims can change over time.

The private companies it attacks generally have direct connections to the Russian government, such as its recent breach of oil drilling firm MashOil (which contracts with state-run energy company Gazprom). This campaign of pressure on companies that keep products on Russian shelves, something that might only impact Russian consumers, has been the one big exception thus far. The collective issued a general warning to all companies last week, and has posted images of international corporations that appear to be foremost in its crosshairs for future cyber attacks. It is yet to be seen what kind of action this will translate into, as aside from the Nestlé incident the Anonymous Twitter accounts have had a recent focus on once again going after Russian state-run TV and media to display “anti-propaganda” by breaching them.

Nasser Fattah, North America Steering Committee Chair for Shared Assessments, notes that hacktivism that aligns with sudden geopolitical events is likely an underlooked risk of cyber attacks and data leaks for many organizations: “When we look at external forces, which are many, that can impact an organization, often we do not think about such formidable forces, like hacktivist groups, in the equation. But knowing that hacktivist group(s) have been vocal and actively involved in the conflict in eastern Europe, organizations operating in that part of the world need to include such risk scenarios in their radar screen.  And primarily because a risk like this can quickly materialize, which now becomes an unexpected issue for an organization to manage. Note this risk scenario is comparable for organizations, not directly operating in Russia, but have critical suppliers working in Russia – where their critical suppliers are now the target.”

Nestlé was quick to step in and comment, claiming that the leaked data was written to a place where it was accessible to the public by accident and that the #hackers most likely just stumbled across it. #cybersecurity #respectdataClick to Post

Neil Jones, director of cybersecurity evangelism for Egnyte, provides some starting points of advice for organizations in countering this threat: “An effective incident response plan needs to account for potential attacks that originate from hacktivist organizations, disgruntled employees and even competitors who are trying to get an edge in a critical market. Best practices to reduce the likelihood of attacks such as Nestlé’s include the following:

  1. Restricting data access based on an end-users’ ‘business need to know.’
  2. Implementing technology that detects suspicious log-ins, particularly from unexpected geographical regions.
  3. Proactively stating your company’s position on key geo-political events, via PR efforts and on social media, and updating positioning as conditions change.

“With the explosion of social media across the world and the ease at which many organizations can be breached, I anticipate that this trend will continue.”