A hacker group claims to have stolen and leaked a trove of Nestlé’s data. The company says that can’t possibly be true. Why? Because the data was actually leaked by Nestlé itself several weeks ago.
In emails to Gizmodo, a Nestlé spokesperson disavowed allegations from the hacktivist collective Anonymous, which claimed this week to have stolen and leaked a 10 gigabyte tranche from the global food and beverage conglomerate. Anonymous said it was punishing Nestlé for its reticence to withdraw from Russia, as a host of other major companies have done. The data, which Anonymous said included internal emails, passwords, and information on Nestlé’s customers, was posted to the web on Tuesday.
Anonymous says it’s on a mission to punish any company that won’t boycott Russia over the devastating war in Ukraine, and Nestlé—which had previously expressed reluctance to scale back operations in the country—has apparently been at the top of its list.
But, according to Nestlé, Anonymous is full of it. A spokesperson told Gizmodo, “This recent claim of a cyber-attack against Nestlé and subsequent data leak has no foundation.”
The spokesperson explained that the trove of data floating around the web was, in fact, the product of a mistake the company made earlier this year: “It relates to a case from February, when some randomized and predominantly publicly available test data of a B2B nature was made accessible unintentionally online for a short period of time.”
Huh, well there you have it! Hard to hack someone who has effectively hacked themselves. In a follow-up email, the same company spokesperson explained that the data, some of which was already public and some of which was not, had been accidentally published to the open internet for multiple weeks. According to the spokesperson:
Some predominantly publicly-available data (e.g., company names and company addresses and some business email addresses) was erroneously made available on the web for a limited period of time (a few weeks). It was detected by our security team at the time and the appropriate review was carried out. The data was prepared for a B2B test website to perform some functionality checks.
Nestlé has not specified what non-public data was leaked alongside the public information. We also asked the company whether it had internally treated the incident as a data breach, but we haven’t heard back yet.
Meanwhile, a recent investigation by Cybernews seems to further erode the narrative put forth by Anonymous. The outlet found that, instead of 10 gigabytes, the publicly available data that had been released only amounted to 5.7 megabytes—a sliver of the supposed tranche.
Whether the recent hacking claims had anything to do with it or not, Nestlé finally caved to public pressure on Wednesday and suspended a significant portion of its operations in Russia. In a statement posted to its website, the company said it planned to partly scale back its product sales in the country, while continuing to provide “essential food, such as infant food and medical/hospital nutrition.” Anonymous wasn’t satisfied with this, however. “Partly?! NO! Get your full ass out of Russia!” the group chimed in via Twitter.