Scania, the renowned Swedish manufacturer of heavy trucks and buses, has confirmed a cybersecurity breach that resulted in the theft of sensitive insurance claim documents. In a statement to BleepingComputer, the company revealed that the attack occurred on May 28, 2025, when unauthorized individuals utilized compromised credentials belonging to an external IT partner to access its Financial Services systems.
The attackers threatened Scania employees via email, demanding ransom in exchange for not disclosing the stolen data publicly. As reported by Hackmanac, a threat monitoring platform, a post on a hacking forum indicated that the threat actor, identified as ‘hensi,’ was attempting to sell the stolen documents to exclusives buyers, further underscoring the potential gravity of the breach.
According to a spokesperson from Scania, the breach was made possible due to the theft of credentials by infostealer malware. The spokesperson stated, “Using the compromised account, documents related to insurance claims were downloaded,” highlighting the potential risk of exposing personal and sensitive data to affected individuals. The company, which employs over 59,000 personnel and generates approximately $20.5 billion in annual revenue, has not disclosed the exact number of individuals impacted by the breach.
Following the initial breach, the attackers contacted Scania employees through a @proton.me email address to escalate their demands, leading to a follow-up communication from another compromised third-party email account. Although the breached application is reportedly no longer accessible online, Scania has confirmed that it is working diligently to investigate the incident fully and has notified the relevant privacy authorities about the breach, which the company says has had a limited impact.