The cyber attack targeted a technology group that provides services to government departments, and the hackers are now believed to be in possession of the stolen data.
key point:
- PNORS Technology Group said its two affected businesses serve “a number of external customers, including the government sector”
- Hackers have disclosed samples of “believed stolen data,” the company said
- Victorian government says it is investigating whether its data was exposed in the breach
PNORS Technology Group consists of five companies providing a range of technical services to more than 1,000 customers.
The company confirmed Saturday that two of its companies, Datatime and Netway, were the targets of the Nov. 3 cyberattack.
“The affected PNORS Technology Group business handles document and data capture, digital transformation and hosted IT support for many external clients, including government departments,” said Paul Gallo, CEO of PNORS.
“Preliminary investigations by cybersecurity experts indicate that the incident was limited to systems that were encrypted and locked down.
“However, the criminals behind the cyberattack released a sample of what was believed to be the stolen data to the company overnight via a private communication.”
Victoria’s Department of Premier and Cabinet (DPC) said it was determining whether data held by the state was exposed in the breach.
A DPC spokesman said the government “will continue to provide support to PNORS Technology Group to determine the extent of the information breach and prevent further incidents”.
PNORS said it immediately notified affected customers on Nov. 3, contacted state and federal police, and hired outside cybersecurity experts.
The Office of the Australian Information Commissioner has been notified.
“The extent of the data breach is still under investigation and we are working closely with all authorities to assess how many customers were affected and the nature of the data stolen,” Mr Gallo said in a statement.
“When we were informed of the cyber attack, we immediately shut down and quarantined all our internal systems and took further steps to protect our network and data, while suspending all data processing.”
A Victorian DPC spokesman said the Victorian Government’s Cyber Incident Response Service had been notified.
“Protecting Victoria’s data and systems is our top priority,” a DPC spokesman said in a statement.
“If it is determined that Victorian Government data has been exposed as a result of this breach, departments will notify affected individuals and advise them on steps they can take to minimise any risk.”
It’s the latest in a string of high-profile data breaches, starting with telecom Optus in late September.
The personal data of millions of Australians has been or may have been exposed in hacking attacks that also targeted health insurer Medibank and Woolworths-owned online retailer MyDeal.
Australia’s data breach notification laws require companies with an annual turnover of $3 million or more to notify the Privacy Commissioner of exposed customer data, so smaller companies could be exposed without public disclosure.
A security expert warned last month that “a decade of anti-security policy” has left Australia vulnerable.
Another warning this week said hackers would now consider Australia a “soft target” in light of recent breaches.
Attorney General Mark Dreyfus introduced a bill last week to amend privacy laws and raise the fine for large data breaches to at least $50 million.
The current maximum fine for serious or repeated violations of privacy is approximately $2 million.
A DPC spokesperson urged people to visit IDCARE for information on how to protect personal information and to visit ScamWatch for information on online scams.