Coop Sweden: The real danger lurked on-premise

Solna / Miami / Bremerhaven. (eb) On Friday evening, July 02, Sweden’s Coop Group experienced major IT disruptions that affected cash registers at its more than 800 stores from Katterjokk in the north to Smygehamn in the south. This is part of a larger global incident targeting U.S. software company Kaseya, Coop reports. Several other Swedish and international companies have been affected by the same event. Coop Sweden is working hard to resolve the issues as quickly as possible.

In addition to stores in Värmland, Norrbotten, Oskarshamn, Tabergsdalen, Gotland and Varberg, a larger number of stores across the country have/had opened on Sunday and are using the Scan + Pay app to allow customers and members to shop in-store. For organizational reasons, this solution is not yet possible for all stores, so unfortunately some locations remain closed. Customers can keep an eye on the stores’ social media websites for the latest updates. Customers can also shop as usual on and have items delivered to their homes according to the delivery options.

The incident is serious because it spreaded around the world, and Coop Sweden is continuing efforts to ensure that all stores can reopen as soon as possible.

The real vulnerability was/is the company’s own server

IT management company Kaseya responded quickly to the incident, proactively shutting down its (own) SaaS servers immediately out of an abundance of caution. According to Kaseya’s assessment, the attack was limited to a small number of on-premise customers through its «Unified Remote Monitoring + Management» (VSA) – around 40 company-owned VSA servers worldwide. Kaseya immediately contacted all on-premise customers to shut down the servers. In addition, the IT management company is working closely with several security firms to thoroughly investigate the incident, according to a statement.

In other words, it is only partially correct if the public reporting of the last few days has given the impression that a security hole was the gateway. The real security hole in this case was and is the company’s own VSA server. Due to varying response times around the globe, it was possible for attackers to target various proprietary VSA servers. Kaseya’s own SaaS servers, on the other hand, were spared (SaaS – Software as a Service – «Cloud»). So the attack on the Coop Group’s VSA server was successful because the response time in Sweden was probably too long. The approximately 36,000 VSA customers worldwide with SaaS server access were not at risk at any time. More details are available on the Kaseya server under the heading «Updates Regarding VSA Security Incident».

Back to top