Data breach, Vivara case: Medusa directs heavy accusations against the Brazilian multinational

Data breach, Vivara case: Medusa directs heavy accusations against the Brazilian multinational 1

A few days ago, we reported on our social media channels about a data breach involving Vivara. The Medusa ransomware group managed to exfiltrate over 1TB of data from the Brazilian multinational’s servers. Vivara, a leading player in jewelry sales, was listed on the São Paulo Stock Exchange in 2019 with a market value of 5.7 billion BRL (about $1 billion) and holds a 17% market share.

According to a recent report by Itaú BBA analysts, significant changes in the company’s management have already been assessed by the market in recent months. Thiago Macruz, head of research at Itaú BBA, provides insights into these developments.

“We recognize the execution risks inherent in adjusting the corporate structure; nevertheless, Vivara remains one of the most compelling growth stories in our coverage, with solid long-term prospects”

On July 25, Vivara Participações S.A. issued a statement to reassure its shareholders. The initial part of the statement, signed by CEO, CFO, and Investor Relations Officer Otavio Chacon do Amaral Lyra, paints a picture that sharply contrasts with the narrative presented by the Medusa group on their blog, where they reveal a different story backed by purportedly irrefutable evidence.

[…] tendo em vista
rumores e notícias veiculadas na imprensa, esclarece aos seus acionistas e ao mercado
em geral que, no mês de junho, sofreu uma tentativa de ataque cibernético do tipo
ransonware, porém não houve qualquer impacto significativo decorrente desse ataque.

(in light of rumors and news in the press, clarifies to its shareholders and the general market that in June it experienced a ransomware cyberattack attempt. However, there was no significant impact from this attack.)

“[…] imediatamente adotou as medidas de segurança apropriadas
para mitigação dos impactos e da manutenção da normalidade operacional […] não tendo causado
impactos significativos nas operações da Companhia ou na experiência de seus
clientes.

[…] a Companhia ressalta que conduziu uma
avaliação completa do incidente para apurar a sua extensão e a eventual necessidade
de adoção de medidas adicionais. Tendo concluído tal avaliação, a Companhia atesta
que a ameaça foi neutralizada sem maiores impactos as operações, sistemas e dados
da Companhia e de seus clientes.”

(“[…] immediately took appropriate security measures to mitigate impacts and maintain operational normality […] without causing significant impacts on the Company’s operations or customer experience.

[…] the Company emphasizes that it conducted a complete assessment of the incident to determine its extent and any need for additional measures. Having concluded this assessment, the Company confirms that the threat was neutralized without major impacts on the Company’s operations, systems, and customer data.”)

Medusa has published confidential information including details about the CEO, senior management, employees, and customers, along with copies of driving licenses, identity cards, and passports. This includes documents related to Nelson Kaufman, chairman of Vivara, his daughter Marina Kaufman, her husband Guilherme Bueno Netto, and CEO Paulo Kruglensky. Medusa also disclosed administrative documents, electronic tax invoices, agreements, confidential emails, and the first page of Nelson Kaufman’s public will.

Furthermore, Medusa released documents pertaining to past tax justice proceedings against Nelson Kaufman from March 2012. The Federal Public Prosecutor had decided not to pursue criminal charges as the debt was previously resolved.

The accusations Medusa levels at Vivara post the July 25 statement are significant. Medusa sent us a copy of their response, also shared with other blogs. They claim that the statements made by Vivara are false and, if their allegations are proven, Vivara Participações S.A. could face severe legal repercussions, including criminal charges.

Medusa alleges that many employees within Vivara were exploited, a serious claim that requires verifiable evidence to substantiate. They also accuse the company of illegal mining in the Yanomami tribe’s territory, a region inhabited by approximately 20,000 indigenous people, and link Nelson Kaufman to money laundering activities.

Medusa denies that Vivara neutralized the cyberattacks, claiming instead that they remained within the network for several months. They also criticize Vivara’s use of the VTEX platform for online payments, asserting that transactions were unsecured, leaving customers’ credit card data unencrypted.

Below is the full statement sent to us by Medusa

“Hello, Team Medusa replying to Vivara do Brazil’s note about the incident.

– First of all they said about RUMORS, that their company suffered a ransomware attack?
Yes, they did and they try to calm the shareholders but the truth is never told and of course… this is a direct message to their customers and also to the Director Orlando and the President Otavio.
you deceive your own customers and your own shareholders, of course we will be transparent with all your customers, unlike your company.

1. First of all, the company was shut down more than twice. In the end, we learned how stupid you are trying to be clever, and the owner Nelson Kaufman is linked to money laundering activities, illegal mining in the Yanomami.
2. in the confidential messages we extracted we saw that many employees are used and abused.
they said they neutralized us when we were on the network for months and the network was blocked at 9pm and there wasn’t a living soul logged on to the network? a bit suspicious?
3. vivara tried to offer us a payment of a measly 400k$ divided into 8 annual installments so they wouldn’t go to the media… and in the end they didn’t want to use their insurance unfortunately.
4. vivara’s vtex was storing all its clients’ credit cards in clear text.”

We will continue to monitor this situation and provide updates as new details emerge.