A major cybersecurity incident has rocked Shwapno, one of Bangladesh’s leading retail brands, after new details revealed that millions of customer records may have been exposed in a large-scale data breach. The situation has raised serious concerns about data protection, customer privacy, and the growing risks of cyberattacks in the country.
According to emerging reports, hackers first gained access to Shwapno’s systems as early as August 2025 through a phishing attack. What initially appeared to be a contained issue has now turned into a much bigger crisis. The attackers reportedly deployed ransomware, locking internal systems and demanding a payment of $1.5 million in exchange for restoring access and keeping the data private.
What makes this breach particularly alarming is the scale of the exposure. Shwapno, which operates hundreds of outlets across Bangladesh and serves over 40 lakh registered customers, confirmed that sensitive information such as names, mobile numbers, and detailed purchase histories may have been compromised. This type of data can easily be used for targeted scams, fraud, and phishing attacks.
The situation escalated further when hackers allegedly released more than 410GB of data on the dark web after the company refused to pay the ransom. Investigators say the leaked files include not only customer information but also internal business documents, supplier data, financial records, and employee details significantly increasing the potential damage.
Shwapno’s management has acknowledged the breach and stated that they are working closely with law enforcement, including cybercrime units of the Bangladesh Police, along with international cybersecurity experts to investigate the incident and strengthen their systems. A General Diary (GD) has been filed, naming notorious ransomware groups such as Qilin and LockBit as suspected attackers.
However, the company is now facing criticism over its delayed response. Reports suggest that although the breach occurred months ago, formal legal action was only taken recently after the leaked data began circulating online. Officials have explained that initial internal assessments indicated the issue had been resolved, but the emergence of leaked data forced urgent action.
Customers are being advised to stay alert. Experts recommend avoiding suspicious calls, messages, or links, and never sharing personal or financial information such as passwords or OTPs. Shwapno has also clarified that it does not request such sensitive details through unsolicited communication.
This incident highlights a growing concern in Bangladesh’s rapidly digitising economy. As more consumers rely on online platforms and digital transactions, cybersecurity is no longer optional, it’s essential. Stronger data protection measures, faster response systems, and increased awareness among both companies and users are now more important than ever.
As investigations continue, the Shwapno data breach is shaping up to be one of the most significant cybersecurity incidents in Bangladesh in recent years. The full impact is still unfolding, but for millions of customers, the risks are already very real.
