French digital automation and energy management giant Schneider Electric is investigating a data breach after a hacker claimed they stole dozens of gigabytes and demanded a hefty ransom in Baguettes, a classic popular French bread item.
Schneider Electric manufactures various energy management and automation products, from home electrical components to industrial control systems. The Rueil-Malmaison, France-based company employs over 100,000 people and earned $39 billion in revenue in 2023.
“Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment,” the company stated.
However, the company said the cybersecurity incident did not affect its operations, thus ruling out a ransomware attack.
“Our Global Incident Response team has been immediately mobilized to respond to the incident. Schneider Electric’s products and services remain unaffected,” the company added.
Schneider Electric data breach leaked critical information
The Hellcat ransomware gang has claimed responsibility for the Schneider cyber attack which allegedly leaked 40 GB of critical data, including projects, plugins, and over 400,000 rows of user data in compressed format.
The stolen user records include names and email addresses, a goldmine for cybercriminals interested in phishing attacks.
The threat actor claims they compromised the company’s Atlassian Jira system, which the company says was hosted on an isolated infrastructure. Thus, the group is unlikely to have compromised other parts of the company’s network.
“We have successfully breached Schneider Electric’s infrastructure, accessing their Atlassian Jira system,” Hellcat said.
The ransomware group demands a large extortion amount, threatening to leak the stolen data if Schneider fails to pay the ransom.
“To secure the deletion of this data and prevent its public release, we require a payment of 125,000 USD in Baguettes,” demanded the ransomware group. “Failure to meet this demand will result in the dissemination of the compromised information.”
However, the cybercrime gang offered to reduce the extortion amount by half, should the company officially acknowledge the data breach.
“Stating this breach will decrease the ransom by 50%, it’s your choice Olivier,” the Hellcat said, addressing the newly-appointed CEO Olivier Blum.
Multiple breaches over last two years
The Schneider data breach is the third the company has experienced within two years. In February 2024, the Cactus ransomware group breached the company’s Sustainability Business division and deployed malware. The data breach affected the Resource Advisory data visualization tool and other “division-specific systems” resulting in the exfiltration of terabytes of data.
Numerous high-profile companies that depend on Schneider’s sustainable energy solutions were affected, including Allegiant Travel, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart.
In June 2023, Schneider Electric was also among thousands of organizations impacted by the MOVEit third-party data breach claimed by the Clop Ransomware group.
Meanwhile, the Schneider data breach surfaced shortly after the Hellcat ransomware group claimed it breached the Jordanian Ministry of Education and Tanzania’s College of Business Education.
First identified in October 2024, the Hellcat ransomware group is a new cybercrime gang striving to earn “street cred,” hence the unusual ransom payment method and the demand for public acknowledgment. Most likely, the ransomware group will eventually settle for payment in cryptocurrency instead of Baguettes.
Similarly, Hellcat also likely inflated the ransom amount to exaggerate the severity of the breach, hence the unsolicited 50% discount offer, which also attempts to lure Schneider into acknowledging the group. Schneider Electric has not indicated whether it intends to pay the ransom.