Nestle Denies Anonymous Hack Claims, Says It Leaked Data Itself

Image for article titled Nestlé: Anonymous Can't Hack Us, We Leaked Our Own Data

Photo: Pavlo Gonchar/SOPA Images/LightRocket (Getty Images)

A hacker group claims to have stolen and leaked a trove of Nestlé’s data. The company says that can’t possibly be true. Why? Because the data was actually leaked by Nestlé itself several weeks ago.

In emails to Gizmodo, a Nestlé spokesperson disavowed allegations from the hacktivist collective Anonymous, which claimed this week to have stolen and leaked a 10 gigabyte tranche from the global food and beverage conglomerate. Anonymous said it was punishing Nestlé for its reticence to withdraw from Russia, as a host of other major companies have done. The data, which Anonymous said included internal emails, passwords, and information on Nestlé’s customers, was posted to the web on Tuesday.

Anonymous says it’s on a mission to punish any company that won’t boycott Russia over the devastating war in Ukraine, and Nestlé—which had previously expressed reluctance to scale back operations in the country—has apparently been at the top of its list.

But, according to Nestlé, Anonymous is full of it. A spokesperson told Gizmodo, “This recent claim of a cyber-attack against Nestlé and subsequent data leak has no foundation.”

The spokesperson explained that the trove of data floating around the web was, in fact, the product of a mistake the company made earlier this year: “It relates to a case from February, when some randomized and predominantly publicly available test data of a B2B nature was made accessible unintentionally online for a short period of time.”

Huh, well there you have it! Hard to hack someone who has effectively hacked themselves. In a follow-up email, the same company spokesperson explained that the data, some of which was already public and some of which was not, had been accidentally published to the open internet for multiple weeks. According to the spokesperson:

Some predominantly publicly-available data (e.g., company names and company addresses and some business email addresses) was erroneously made available on the web for a limited period of time (a few weeks). It was detected by our security team at the time and the appropriate review was carried out. The data was prepared for a B2B…