Shell Vendor Data Breach: Are You Secure?

Shell conducted an investigation and discovered a data breach involving a third-party provider they work with. 

This incident had no direct impact on Shell's internal systems or customer data, but it is crucial to understand its details and potential effects.

? #DataBreach ?

A potential data breach at Shell has been detected on a hacking forum: 80K records reportedly affected.

According to the post, in May 2024, Shell suffered a data breach leading to the theft of a database containing 80K records and affecting multiple countries:… pic.twitter.com/XpTPjsjPZG

— HackManac (@H4ckManac) May 29, 2024

Shell Data Leak: What Just Happened?

A hacker group claimed to have breached Shell, affecting 80,000 users. While the hackers provided sample data most likely related to Australian Shell stations, Shell acknowledged that a vendor they use for mystery shopping services experienced a data breach on a different platform, not Shell's systems. 

The vendor has informed impacted individuals, and Shell is not commenting further because they do not control the data.

What You Need to Know?

Shell customers take note! An inquiry is underway after a data breach affected a third-party vendor who works with Shell. Here is what we know so far:

No Shell Customer Data Exposed

The most significant point is that no Shell customer data has been exposed. Shell ensures that its internal systems and consumer data are secure.

Mystery Shopping Vendor at the Center

The impacted vendor offers Shell "anonymous mystery shopping services".

Data Leak via Third-Party Platform

The vendor used another platform to store information about their mystery shoppers. This platform appears to be the source of the leaks.

Undefined Scope of Leaked Data

Details about whatever information may have been compromised are still present.

Which Data Was Compromised?

The details exposed in the alleged Shell data breach are unclear. While hackers claimed that they obtained data such as shopper codes, names, emails, phone numbers, and even some transaction details, this information reportedly only applied to Australian mystery shoppers for Shell at Reddy Express (previously Coles Express) locations. 

Shell, on the other hand, denies that its systems were breached and maintains the leak occurred on a third-party platform utilised by a mystery shopping vendor.

A Shell spokesperson wrote in an email:

"Our investigation shows that the data in question did not come from a Shell system, nor was Shell-held customer data exposed," 

Shell's Response to the Reported Data Breach

Shell denied allegations of a data breach on their systems. They confirmed they were investigating the issue and clarified that:

• The exposed data belonged to a company that provided them with mystery shopping services, not Shell customers.
• The privacy incident affected the vendor's separate platform rather than Shell's systems.
• The vendor is currently contacting affected individuals and relevant authorities.
• Shell underscores its commitment to cybersecurity and will continue to monitor its IT systems.

Are the Strings Matched?

The Shell data breach incident is similar to two major types of cyberattacks:

SolarWinds Supply Chain Attack

Hackers used a software update from SolarWinds, a provider of IT management software, to obtain access to the systems of several US government organisations and private companies.

Right after claiming CISA's statement was false, the motion goes right into Section D: "The Solar Winds "SUNBURST" Attack."

This is extremely notable for many reasons but most importantly, and as I have written about... pic.twitter.com/7yzgClneh4

— Jon Herold (@patel_patriot) November 28, 2023

Kaseya Supply Chain Attack

A similar attack targeted a software package from Kaseya, a firm that provides IT remote management solutions, and affected thousands of businesses globally.

What’s Your Next Step!

Here's how you can prevent future situations like the Shell data breach:

Be Careful With Your Online Information

• When signing up for services, particularly those provided by third-party vendors, consider the data you share. 
• Provide only what is essential.

Maintain Excellent Password Protection

• Create unique and complex passwords for all of your accounts, and enable two-factor authentication whenever possible. 
• This increases security by needing a second verification code in addition to your password when signing in.

Stay Updated on Data Breaches

• Signing up for credible security breach notification services might help you find out if your information has been compromised in a data leak.

Be Aware of Phishing Attempts

• Do not click on any unusual links or attachments in emails, even if they appear to be from legitimate sources. 
• Phishing emails frequently attempt to fool you into providing personal information or clicking on harmful links that download malware.

Consider Credit Monitoring

• While not a perfect approach, credit monitoring services can notify you of any strange behaviour on your credit report that could indicate identity theft.

Beyond Shell: Insights from a Third-Party Information Security Breach

While the breach appears to have been confined, the Shell data leak offers a severe warning of the ever-changing cybersecurity landscape. 

As consumers, we trust organisations with our personal information, and data breaches by third-party suppliers highlight vulnerabilities that we may be unaware of. 

This incident emphasises the need for both organisations to prioritise good security measures throughout their supply chain and for people to stay alert about their online presence. 

By taking the steps indicated above and remaining informed, we can gain control of our online activities and reduce the dangers connected with data breaches.