Hackers demand $1.5m ransom in major cyberattack

In one of the largest corporate cyberattacks in Bangladesh, the country's leading supermarket chain Shwapno has confirmed that its customer database was breached, with hackers demanding a ransom of $1.5 million.
The incident came to light after sensitive customer information-including names, mobile phone numbers and purchase histories-began circulating on social media, raising widespread concern among users.
Shwapno, a subsidiary of ACI Limited, operates more than 800 outlets across 63 districts and serves over 4 million registered customers, indicating the nationwide scale of the exposure.
According to company officials, the attackers had gained unauthorised access to the system months earlier, with indications that the breach may date back to late 2025.
The hackers reportedly issued the ransom demand in August last year.
Managing Director Sabbir Hasan Nasir said the company has refused to comply with what it described as "illegal and unethical" demands, maintaining a strict policy against paying cybercriminals.
In its official response, the company said it had immediately launched an internal audit under the supervision of ACI's management information systems (MIS) division and implemented preventive measures to secure its infrastructure.
It also claimed that no sensitive financial information of customers had been compromised.
Shwapno added that it has strengthened its cybersecurity framework by deploying advanced firewall systems, enterprise-grade server protection, and round-the-clock network monitoring by both local and international specialists.
The company is working closely with the Counter Terrorism and Transnational Crime (CTTC) unit of Dhaka Metropolitan Police, alongside forensic experts, to investigate the breach and bring those responsible to justice.
A case is currently being processed with Tejgaon Industrial Area.
Despite these steps, questions remain over the delay in notifying customers, as the breach appears to have occurred months before public disclosure.
Cybersecurity analysts warn that the leaked data-particularly purchase histories and phone numbers-could be exploited for targeted phishing attempts and fraud.
Customers have been advised to avoid sharing personal or financial information over unsolicited calls or messages and to remain cautious about suspicious links.
The company has urged users to stay vigilant, reiterating that it never asks for passwords or one-time codes over phone calls.
bdsmile@gmail.com