Auto giant Scania has disclosed a data breach stemming from a third-party managed system in May 2025, which resulted in threat actors stealing insurance claim documents.
Sweden-based Scania is a subsidiary of Traton SE, a member of the Volkswagen Group. Specializing in heavy commercial vehicles, such as trucks and buses, it commands nearly a fifth (19%) of the European car market. It operates in ten locations worldwide, employing over 59,000 people. In 2024, the Swedish truck manufacturer reported $22 billion in annual revenue.
Scania learned of the data breach after the threat actors contacted its employees, threatening to leak the stolen documents online unless a ransom was paid.
Scania data breach leaks insurance claim documents
According to the threat actor, the data breach leaked 34,000 insurance claim documents, likely containing sensitive information.
However, details that may have been leaked are currently unclear, but they could include personal information, insurance details, and health data. Similarly, the number of victims impacted by the Scania data breach remains unknown.
According to threat intelligence platform Hackmanac, the attacker has listed the stolen insurance claim documents for exclusive sale to a single buyer, suggesting that Scania had refused to pay the ransom. Hackers usually publicize a data breach after the victim organization becomes uncooperative.
“Hi guys. We hacked new target and selling full attachment of ‘insurance.scania.com’. Full attached files is 34,000 and first time hacked + just will 1 hand sell,” the hacker posted.
The attacker claims the data breach was a first-time intrusion, suggesting that they did not have persistence. They also posted a few image samples of the stolen insurance claim documents as proof.
Meanwhile, Scania has confirmed the data breach and disclosed that it affected a third-party-managed subdomain ‘insurance[.]scania[.]com.’ Subsequently, other internal information systems and IT infrastructure were not affected during the attack and ransomware was likely not deployed.
Leaked insurance claims documents claimed to have limited risks
The automotive giant also assessed the impact of the data breach and claimed that the leaked insurance claim documents posed limited privacy risks. However, leaking insurance claim documents risks reputational damage, which could potentially undermine the company’s brand.
For now, the impacted subdomain has been taken offline to prevent further compromise. The company is also in the process of notifying the victims and regulatory authorities. Scania has also launched an investigation into the insurance data breach to determine the nature of the information stolen.
The Swedish bus and truck manufacturer also disclosed that the threat actor leveraged stolen credentials harvested using an infostealer, which extracts authentication credentials from web browsers, configuration files, and other sources.
Automakers are lucrative targets for cyber attacks due to the vast amount of personal information they collect from their customers. Additionally, their strong financial position and powerful brands make them more likely to pay the ransom.
In May 2025, the Stormous ransomware gang listed the Volkswagen Group on its data leak site, claiming it had breached the company and stolen troves of sensitive information. However, Volkswagen rubbished those claims, asserting that its investigation had uncovered no evidence of unauthorized third-party access to its systems or misuse of its company data.
