Attacker reveals some of the data stolen from Henning Harders

The group behind the Maze ransomware published a 6.5GB trove of commercial data it stole from Australian freight and logistics firm Henning Harders.

Henning Harders this week confirmed that it had detected an “organized attack” on its IT systems and warned some customers that commercial data may have been accessed.

However, details published by the attackers on Monday suggest a far more devastating attack that exposes not just customer data but a massive amount of financially sensitive information and employee salary information stolen from the company’s network. Additionally, what the cybercriminal group has published is just its proof that it breached Henning Hardings data, meaning the group may publish more data in future if a ransom is not paid.

Maze attackers are among a few ransomware groups started threatening to publish sensitive information stolen during a ransomware attack in order to pressure victims into paying a ransom demand. Maze is also known to make huge demands. The group compromised the computers of US security personnel hiring firm Allied Universal in December and demanded the equivalent of US$2.3 million in bitcoin, as BleepingComputer reported at the time. Maze cybercriminals then published 700MB of data stolen from the company.

Among two Zip archive files of Henning Harders’s data the attackers published are thousands of documents that expose the names of its corporate clients, which include major Australian and international brands, client email contact lists, annual profit and loss analysis reports, customer freight rates, salary reviews that contain the names and salaries of employees, and general operational documents. CSO Australia has seen the data but chosen not to publish specific details or name the clients.

The Maze group also updated its page on Henning Harders to indicate that not just its Sydney and Melbourne offices were compromised, but that its offices in Brisbane, Perth, as well as Wellington and Auckland, New Zealand were compromised too. The cybercriminal group has also published the names of key executives.

Henning Harders confirmed to CSO Australia that the customer data that was published is legitimate. “Henning Harders has become aware that the cyber attacker has started to publish some client data on an online forum controlled by it following unauthorised and illegal access to the company’s systems,” a Henning Harders spokesperson said in a statement. The company declined to say whether it had engaged in negotiations with the Maze attackers over the ransom demand or what amount the cybercriminals were asking for.

“Henning Harders sincerely apologises for any inconvenience,” it said. “We treat the privacy of customer data with the utmost seriousness and this will remain our top priority until it is fully resolved. Importantly, the company remains fully operational.”

Henning Harders today updated its advisory to acknowledge that the attackers had “started to publish some client and employee information on an online forum controlled by it. … All our customers and employees have been notified that some data has now been made public,” it said.