Ransomware: lapsus$ claims INGKA GROUP (SE) — Consumer Services

On June 13, 2026, a ransomware group known as Lapsus$ claimed responsibility for a cyberattack against INGKA GROUP, the parent company of IKEA, in the consumer services sector. The claim was published on the ransomware monitoring platform ransomware.live, which tracks and verifies such incidents. While the full extent of the data breach is not yet confirmed, the incident signals a significant security event that may involve customer or operational data exposure, triggering notification obligations under the EU General Data Protection Regulation and other breach reporting frameworks.

This development primarily affects INGKA GROUP and its subsidiaries, but it also serves as a warning for all organizations in the retail, consumer services, and e-commerce sectors across the EU. These sectors are frequent targets for ransomware groups due to their large customer databases and reliance on digital supply chains. Compliance teams in similar organizations should assess their own exposure to similar threats, particularly if they handle personal data or operate critical infrastructure.

Compliance teams should immediately verify whether their organization has any shared service providers or data processing links with INGKA GROUP. They should also review their incident response plans to ensure they can meet the 72-hour breach notification deadline under GDPR. Additionally, teams should reinforce employee training on phishing and credential theft, as Lapsus$ is known for social engineering tactics. Finally, monitor official updates from INGKA GROUP and relevant data protection authorities for further guidance on containment and remediation steps.