The country’s largest supermarket chain Shwapno has said hackers breached its customer database and are demanding a ransom of $1.5 million, or more than Tk 18.3 crore.
The disclosure came after customer names, phone numbers and purchase histories began making round-ups on social media.
Sabbir Hasan Nasir, managing director of Shwapno, told The Daily Star that hackers had taken control of the company’s website and database in December last year.
The attackers were seeking $1.5 million in exchange for restoring access, he said.
Image
Shwapno has more than 40 lakh registered customers. It runs 812 outlets across 63 districts. The exposed information includes customer names, mobile phone numbers and purchase histories.
However, Nasir could not confirm how much data had been compromised. He said the company is preparing to file a case.
“When I checked the leaked database, I entered my wife’s phone number and immediately found her record,” said a customer of Shwapno in Dhaka’s Gulshan.
Her name, purchase history, and detailed transaction data were all visible.
“This is not a theoretical risk; it is real, personal and already exposed. If one record is this accessible, millions of others are equally vulnerable,” the customer told The Daily Star.
Shwapno, a subsidiary of ACI, is working with domestic and international forensic experts, as well as the Counter Terrorism and Transnational Crime unit of police, to investigate the breach and strengthen its cyber defences.
“We want to assure customers that their sensitive personal financial information is secure,” he said.
They do not want to compromise with this unethical hacking. “When we stated that we would not participate in any unethical dealings, they responded with threats.”
A member of The R3sistanc3 and cybersecurity specialist said that hacked data such as names, phone numbers, purchase history and other information creates multiple risks.
The member explained that this information can be used to track consumer behavior and preferences, leading to increased spam calls and unsolicited marketing.
The specialist further said that a more serious threat arises when customers use the same phone number for mobile financial services like BKash or bank accounts.
In such cases, fraudsters can exploit this linkage to carry out targeted scams, as access to a verified contact number makes it easier to impersonate service providers and deceive users, the expert said.
According to the specialist, as banking services become increasingly phone-dependent, both mobile and traditional accounts become more vulnerable if customer data is not properly protected.
The R3sistanc3 member also said that information about the products a customer purchases can be accessed by other companies as lead data.
The greatest risk lies in the phone number, which is collected through biometric methods, making it relatively easy for attackers to obtain a customer’s personal information, the expert added.
In the 2024 Global National Cyber Security Index report, Bangladesh secured 35th place among 175 countries, outperforming India, which ranked 36th, and Pakistan, which stood at 85th.
