Connect with us

Hi, what are you looking for?



Discount Retail Giant Pepco Loses €15 Million to Cybercriminals

European discount retailer Pepco has lost €15.5 million as a result of what it described as a phishing attack.

European discount retailer Pepco Group this week revealed that its Hungarian business has lost a significant amount of money to cybercriminals. 

The UK-based company reported losing €15.5 million (roughly $16.8 million) in cash as a result of a “sophisticated fraudulent phishing attack”.

An investigation has been launched and Pepco is working with banks and the police to recover the money, but the company says it’s currently unclear whether the funds can be recovered.

“At this stage, the incident does not appear to have involved any customer, supplier or colleague information or data,” the Pepco Group said.

“The Group maintains a strong balance sheet with access today to over €400 million in available liquidity (from cash and credit facilities) and continues to generate strong cash flow from its operations,” it added. “The Group takes financial controls and IT security extremely seriously and is currently conducting a group-wide review of all systems and processes to secure the business more robustly going forward.”

The Pepco Group owns the Pepco, Dealz and Poundland brands. The 3,600 Pepco stores spread across 19 European countries have more than 30 million customers every month.

Based on the company’s brief description of the incident and the amount that was lost, it may have been targeted in a business email compromise (BEC) scheme, where cybercriminals use hacked email accounts to trick the targeted organization’s employees into transferring money to bank accounts they control.

The FBI reported last year that global BEC losses reported over the past decade had totaled more than $50 billion across nearly 278,000 incidents. 

Advertisement. Scroll to continue reading.

SecurityWeek has reached out to Pepco for more information and will update this article if the company responds. 

Related: Australia Dismantles BEC Group That Laundered $1.7 Million

Related: Nigerian Arrested, Charged in $7.5 Million BEC Scheme Targeting US Charities

Related: Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.