Swedish automotive leader Scania has confirmed a cybersecurity breach affecting its Financial Services division says spokesperson of Scania. Threat actors exploited stolen login credentials to access an external platform tied to insurance claims. The attackers downloaded sensitive documents and attempted to extort the company by threatening to leak the data.
Scania, a core brand in the Volkswagen Group, is known globally for producing trucks, buses, and engines. The company employs more than 59,000 staff and generates over $20 billion annually. The targeted system, insurance.scania.com, was hosted by an external IT provider and is no longer online.
Stolen Credentials Used in Breach and Extortion
According to Scania, the intrusion occurred on May 28–29 using login data likely compromised by password-stealing malware. The attacker used a legitimate external user account to retrieve files containing sensitive insurance information. On May 30, the threat actor emailed Scania staff via ProtonMail, threatening to release the data unless demands were met.
A second extortion email followed, sent from another unrelated but compromised third-party account. Soon after, a user named “Hensi” leaked a portion of the stolen data on a hacking forum and offered the rest for sale.

Scania Responds and Notifies Authorities
Scania immediately launched an internal investigation and reported the incident to data protection authorities. While the scope of the breach remains under review, the company described the overall impact as limited. The exposed insurance documents may include personal and financial information, but the total number of affected individuals is still unknown.
Eye World will continue monitoring developments in this case and similar threats targeting the automotive sector.