Salesforce Refuses to Pay Ransom in Massive Data Breach
▼ Summary
– Salesforce is refusing to pay an extortion demand from a crime syndicate claiming to have stolen about 1 billion records from its customers.
– The threat group, calling itself Scattered LAPSUS$ Hunters, began its campaign in May by making voice calls to trick organizations into connecting malicious apps to their Salesforce portals.
– Mandiant tracks the group as UNC6040 and has been unable to confirm its connections to other known data-extortion actors.
– The group created a website listing Toyota, FedEx, and 37 other affected customers and demanded a ransom from Salesforce by a Friday deadline to prevent data leaks.
– A Salesforce representative confirmed via email that the company is rejecting the extortion demand.
In a bold cybersecurity stance, Salesforce has publicly refused to pay a ransom following an extensive data breach impacting numerous clients. The software giant confirmed it will not negotiate with cybercriminals who allege they have stolen close to one billion customer records. This firm position highlights the ongoing corporate dilemma of whether to meet extortion demands or risk potential data exposure.
According to a June report from Google-owned security firm Mandiant, the extortion campaign began in May. Attackers made direct phone calls to organizations using Salesforce, with English-speaking operatives fabricating scenarios that tricked employees into connecting malicious applications to their Salesforce accounts. Surprisingly, despite the unusual approach, many recipients complied with these instructions, granting access to their systems.
The hacking collective orchestrating this attack operates under the name Scattered LAPSUS$ Hunters, blending identifiers from three notorious cybercrime groups: Scattered Spider, LAPSUS$, and ShinyHunters. Mandiant researchers, who classify the entity as UNC6040, have not yet confirmed definitive links between these actors, indicating the complex nature of modern cyber threats.
Earlier this month, the group launched a dedicated website listing Toyota, FedEx, and thirty-seven other Salesforce customers as breach victims. The hackers asserted they obtained approximately 989.45 million records, rounding the figure to “~1B+” records compromised. Through the site, they issued an ultimatum demanding that Salesforce initiate ransom negotiations, warning that failure to pay would result in the public release of all stolen customer data. The message emphasized that a single payment from Salesforce would exempt individual customers from further extortion, setting a strict deadline for the past Friday.
A Salesforce representative responded via email this Wednesday, stating the company unequivocally rejects the ransom demand. This decision reinforces Salesforce’s commitment to not funding criminal activities, despite the severe risks of data leakage for its client base.
(Source: Ars Technica)
