Shell

Summary

Shell suffered a data breach in May 2024 affecting its customer loyalty program in multiple countries including Australia. A threat actor known as "888" posted 80,000 rows of customer data to BreachForums, with sample data showing Australian customers shopping at Shell Coles Express locations.

Attack Vector

The breach occurred through a third-party vendor who provides Shell globally with anonymous mystery shopping services, rather than Shell's direct systems. The threat actor obtained and posted the loyalty program database containing customer information from nine countries including Australia, the UK, France, India, Singapore, the Philippines, the Netherlands, Malaysia, and Canada.

Consumer Impact

Exposed data includes shopper codes, first and last names, shopper emails, mobile contact numbers, postcodes, suburbs, and account status. The data appears to show Shell loyalty program customer details, with sample data revealing Australian customers at Shell Coles Express locations. Shell is partnered with Coles Express for retail petrol station operations in Australia, with Coles Express having been sold by Coles to Viva Energy in May 2023.

Response

Shell investigated the incident and confirmed that the data did not come from Shell's systems directly. The company stated it is not the owner or controller of the acquired data, attributing the breach to a vendor's cybersecurity incident. Shell clarified it cannot comment further as it does not control the compromised data.