Details of four recent cybersecurity and data breaches in Australia include:
Meliton
Meriton was involved in a supply chain attack in March 2023. While still under investigation, it has been classified as a personally identifiable information (PII) and protected health information (PHI) data breach.
It was due to data shared with suppliers and other parties. This data breach affected guests and past and current employees of Meriton Suites. This was his 35.6 GB of data and contained a ton of sensitive information, including birth certificates, bank account details, payroll records, tax return numbers, health information, and more.
The breach was reported to the Australian Cyber Security Center and the Australian Information Commissioner’s Office. Meriton has personally contacted all those affected.
good guy
Good Guys suffered a loyalty program supply chain attack. Although this breach occurred in 2021, he was discovered in August 2023 and is still under investigation. That’s PII infringement.
This was due to access to third parties through loyalty programs. Some customers’ passwords were stolen, and some had their dates of birth hacked. About 1.5 million members were affected by this.
As a result, the concierge member benefits program has ended. The Good Guys no longer use My Rewards (formally known as Pegasus Group).
Latitude Financial Services
Latitude Financial Services was involved in compensation theft and ransom demands. Still investigating. This is another her PII beach with stolen credentials.
An internal system was compromised, allowing malicious individuals to steal employee login information. The data was not encrypted. Latitude received a ransom demand, but it was denied.
14 million customer records stolen. This data breach involved sensitive information such as driver’s license numbers, passport numbers, addresses, phone numbers and dates of birth.
The company suffered losses of up to $105 million. A class action lawsuit has been initiated. Latitude will reimburse customers for the cost of reissuing stolen ID documents.
Crown Resorts
Crown Resorts has been implicated in exploiting zero-day vulnerabilities. This was caused by the delay in applying security patches. The documents were accessed via a compromise of GoAnywhere, a third-party file transfer service.
The attack is said to involve the ransomware gang Clop.
This breach occurred in March 2023. This was due to delays in implementing security patches. This led to data breaches of employee salary information and casino machine reports.
This vulnerability is now fixed. However, an investigation is ongoing.
Cybersecurity recommendations
Unfortunately, we cannot prevent cybersecurity attacks and data breaches from happening. Practice security best practices to minimize damage when damage occurs.
Recommendations for organizations:
- Follow best practices in your security solution architecture (RBAC, Least Privilege, DLP, CASB).
- Follow a zero trust framework (never trust, always verify).
- Conduct penetration tests on your system to identify potential gaps and vulnerabilities.
- If your organization shares information with third-party suppliers, you should request security reports and tests on a regular basis.
- Restrict staff member access to only the data necessary for their role.
- Conduct frequent security awareness training with staff members.
- Organizations should establish robust cybersecurity policies and procedures.
- We collect and retain the minimum necessary information.
Personal Recommendations:
- Whenever possible, do not store or share personal data online. Do not store sensitive personal data or images in the cloud.
- Enable two-factor authentication whenever possible.
- When you leave your company, ask that your personal information be deleted or archived.
- Do not authorize the sharing of personal data by third parties. Please cross out any additional data sharing that is not necessary for your personal needs.
- See documents in person whenever possible and avoid uploading personal documents online.
- Do not reuse passwords. Use a password manager.
- Do not use your real date of birth for contests or random online forms.
- Bank passwords must be unique. Never share this information with others.
- If you’ve been affected by one of these data breaches, apply for a new driver’s license number.
- Contact the Australian credit bureaus. It’s a red flag if you notice your credit score is declining.
- Consider canceling your loyalty program.
- Regularly shred paper records that contain sensitive or personal information.
Businesses have a responsibility to keep their data safe. Respond proactively to company cyberattacks. Remember your motto. If you find something, do something with it.
