Legal notice served to Shwapno over customer data leak

A legal notice has been sent to 'Shwapno', one of the country's leading retail chains, over allegations of customer data breach and gross negligence. The notice was sent to the Managing Director of ACI Limited, the parent company of the retail chain.

Barrister Lutfe Jahan Purnima, a Supreme Court lawyer, sent the notice on Monday, March 30.

The notice states that a major security breach occurred in Shwapno's customer database around August 2025. Unauthorised third parties accessed customers' personal information and demanded ransom on condition of not disclosing the data. Subsequently, names, mobile numbers and sensitive purchase-related information were allegedly leaked online.

It further states that the company's data security measures were weak, making it impossible to protect customers' personal and financial information. Additionally, despite being aware of the matter for a long period, customers were not informed, depriving them of the opportunity to ensure their own security.

The notice alleges that although authorities claimed the system was brought under control, the stolen data was not effectively secured or neutralised, which constitutes gross negligence.

The incident has been described as a violation of citizens' rights to equality, legal protection and personal liberty under Articles 27, 31 and 32 of the Constitution.

The notice directs Shwapno authorities to disclose complete information within seven days, provide a list of affected customers, confirm the data breach, establish compensation mechanisms, strengthen cyber security, and submit reports to relevant authorities.

The notice warns that if these steps are not taken within the stipulated time, necessary civil and criminal actions, including a public interest writ petition under Article 102 of the Constitution, will be pursued.