Locate me
BABY & KIDS
BEAUTY & COSMETICS
CLEANING
CLOTHING
HARDWARE
HOUSEHOLDS
STATIONERY
PARTY
PET
PROMOS
FRESH FOOD
LIQUOR
ELECTRONICS
VOUCHERS
Naivas regrets to announce that alongside many corporates and organisations in and outside Kenya, we have been the victims of a ransomware attack by an online criminal organisation (Threat Actor). This unlawful intrusion may have compromised some of our data. Naivas has contained this attack, and our systems are secure and our operations are normal.
On becoming aware of the attack, Naivas took immediate steps to prevent external access and engaged leading cybersecurity experts CrowdStrike to ensure system integrity. This process is complete and our systems are secure. We are cooperating with the relevant law enforcement agencies, as they investigate this and the many current ransomware attacks in Kenya.
Naivas has been made aware that the Threat Actor has claimed to have stolen some of our data and is alleging that this may be published in due course. We and law enforcement agencies are monitoring this closely. Naivas has also informed the Office of the Data Protection Commissioner Kenya of this incident.
Naivas would like to confirm that we do not hold any credit card/debit card information on our systems, and that such payment information is handled securely and protected through Secure Sockets Layer (SSL) encryption.
At this moment, we are not aware of any malicious use of stolen data. However, it is recommended in the face of this type of situation to pay particular attention to any phishing attempts (by phone, SMS or email) as well as to the sufficient security of passwords.
We take the protection of personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity may cause.
For further information around this, please refer to our FAQs below.
Willy Kimani
Chief Commercial Officer
FREQUENTLY ASKED QUESTIONS ON NAIVAS DATA THEFT
1. Did Naivas suffer a ransomware attack?
Naivas alongside many corporates and organizations in and outside Kenya was the victim of a ransomware attack by an online criminal organization (Threat Actor). The attack has been contained, our systems are secure and our operations are normal.
2. What steps has Naivas taken to protect its systems?
On becoming aware of the attack, Naivas took immediate steps to prevent external access and engaged leading cybersecurity expert CrowdStrike to ensure system integrity and undertake a forensic review. We have also enhanced our cybersecurity practices. This process is complete and our systems are secure.
CrowdStrike is a leading global cybersecurity firm (www.crowdstrike.com).
3. I shopped with Naivas using my credit card / debit card in the past, has my card data been compromised?
No. Naivas does not hold any credit card or debit card information on its systems, neither for in-store transactions nor for payments through the Naivas e-commerce website. Our payment service providers safeguard your data via technology and operational controls such as access control, cryptography, physical and environmental security, monitoring and compliance. In addition our payment service providers are certified in ISO 27001 security standards and by the relevant regulatory authorities.
4. Can I shop securely with Naivas?
Yes. Our systems are fully operational and secure, in-store and on the Naivas e-commerce platform. Our payment service providers safeguard your data via technology and operational controls such as access control, cryptography, physical and environmental security, monitoring and compliance. In addition our payment service providers are certified in ISO 27001 security standards and relevant regulatory authorities.
5. Has credit card information been compromised?
No. Naivas does not hold any credit card or debit card information on its systems, and such payment information is handled securely and protected through Secure Sockets Layer (SSL) encryption. For mobile money, Naivas only records the related transactional information as is customary for all mobile money transactions in Kenya.
6. Are customer loyalty points impacted?
No. Customers can continue to earn and redeem points as per normal. No point balances have been lost.
7. What customer personal information does Naivas hold?
Naivas holds personal information for its loyalty card members. This information, to the extent supplied by its customers, includes; name, ID number, telephone number, email address, and home address.
Note we do not hold payment details for any of our customers on our systems such as bank account details, Personal Identification Numbers (PINs) or passwords.
8. Has any data been stolen from Naivas?
As a result of the ransomware attack, the Threat Actor had access to some of our data. The Threat Actor claims to have stolen data and is threatening to leak this data online. Such data may include customer personal information.
9. Is the data Naivas holds now secure?
Yes. The data in Naivas’ custody is safeguarded via a myriad of technologies such as CrowdStrike, and operational controls such as access control, cryptography, physical and environmental security, monitoring and compliance.
10. What steps should customers undertake?
Customers can continue to shop securely with Naivas, in our stores and online irrespective of payment method.
At the moment, we are not aware of any malicious use or distribution of our stolen data and we are working closely with cyber security authorities locally and internationally to manage and contain.
However, it is recommended in the face of this type of situation to remain vigilant, while paying particular attention to any phishing attempts by fraudsters. We also recommend that you proactively maintain cyber hygiene by updating or changing your passwords. Remember, at all times, DO NOT share passwords or PIN numbers over the phone or email.
11. What is phishing?
Phishing is the fraudulent practice of contacting individuals (e.g. via email, SMS or phone) purporting to be from reputable companies (e.g. a bank) in order to induce individuals to reveal personal information, such as passwords, bank account or credit card numbers. Often these email addresses and phone numbers will look similar (or even identical) to those used by the actual organization. Naivas will never contact you over the phone or email asking for personal information.
Customers are urged never to reveal confidential information such as passwords or PIN numbers over the phone, and if in doubt hang up and contact the relevant institution through the telephone numbers displayed on their website or visit them in-store.
12. Who at Naivas should I contact for further information?
Should you wish to contact us for further information regarding the incident, please contact the Naivas Data Protection Officer, Jean Wambui ([email protected]) or visit us in any one of our stores.
For any other information, please contact our customer service line at [email protected].