The List No One Wants To Be On: The Biggest Australian Data Breaches of 2021

The List No One Wants To Be On: The Biggest Australian Data Breaches of 2021

2021 was a strange year, it was also a year that saw data breaches and cyber attacks increase over 2020, with the Australian Cyber Security Centre (ACSC) estimating a 13 per cent increase in reported attacks and a 15 per cent rise in ransomware attacks. The ACSC also estimates cybercrime has cost Australian businesses and individuals $33 billion over the past year.

While a lot of data breaches, cyber attacks and ransomware payments made aren’t always public, there were a handful that made headlines in 2021. Here they are.

Tasmanian Ambulance: January 2021

One of the first data breaches of 2021 affected every resident that requested an ambulance between November 2020 and January 2021.

The unencrypted information came from pagers being used by paramedics. At the time, the Tasmanian ambulance was using outdated radio technology to run its communications network. Cyberattackers intercepted the radio data, converted the conversation to text and posted the stolen data online.

Pager messages included patients’ personal details and condition as well as the address of the incident. Information made public also included a patient’s HIV status, gender and age, which raised serious concerns the breach could lead to discrimination or stigmatisation.

Northern Territory government: January 2021

The Northern Territory government’s system was hit by a ransomware attack in January and was down for three weeks.

The NT Department of Corporate and Digital Development said that an undisclosed perpetrator targeted the unnamed supplier of its web-based corporate software system. The attack forced its sensitive database to be taken offline.

Thousands of Territorians also had their personal and business emails released in a data-breaching mass email sent by the Health Department in relation to the government’s COVID-19 Territory Check In app in February.

ASIC: January 2021

The Australian Securities and Investments Commission (ASIC) in January said one of its servers was breached earlier in the month after attackers gained access to files relating to credit licence applications. The breach vector was its file transfer app, the Accellion File Transfer Appliance (FTA), which was used by the federal agency to transfer files and attachments.

Accellion shortly after announced the end-of-life for its FTA product as the software had been abused in a number of attacks to breach many companies and government agencies across the world since December 2020. Some other victims include the Reserve Bank of New Zealand, the University of Colorado, the Washington State Auditor Office, NSW Department of Health, Queensland research institute the QIMR Berghofer Medical Research Institute and Singtel, Singapore’s largest telco.

Transport for NSW: February 2021

One other victim not listed in the previous blurb was Transport for NSW, who in February had around 250GB of information stolen as part of the Accellion attack.

The info, TfNSW admitted, included confidential emails and files, and it was dumped on the dark web, appearing on a leak site belonging to ransomware and extortion group CL0P in downloadable chunks of roughly 4GB each.

At the time, TfNSW said the breach was limited to Accellion servers and no other TfNSW systems had been affected, including those related to driver’s licence information or Opal data.

Oxfam Australia: February 2021

In February, Oxfam Australia investigated a suspected cyber attack on its database that allegedly impacted the information of 1.7 million supporters, with hackers accessing files containing data on supporters who had signed petitions, taken part in campaigns and made donations or purchases.

The charity later confirmed that supporter information had been unlawfully accessed by an external party, including names, addresses, dates of birth, email addresses, phone numbers and gender.

Eastern Health: March 2021

A “cyber incident” suffered by Eastern Health facilities in Victoria resulted in the cancellation of some surgeries across the state. Eastern Health operates the Angliss, Box Hill, Healesville, and Maroondah hospitals and has many more facilities under management.

At the time, Eastern Health took many of its systems offline as a precaution response to the incident.

Although no patient data was lost, ransomware forced the shutdown of IT systems across the hospitals operated by Eastern Health. The incident removed staff access to patient records, booking and management systems and prompted the cancellation of non-urgent surgeries, causing additional frustration for patients whose procedures had already been delayed due to COVID-19.

By April 15, it reported the majority of its IT systems were restored. The nature of the cyber attack is unknown, but it’s believed to have been a ransomware attack.

Western Australian Parliament: March 2021

Western Australia Parliament’s mail server was accessed after a Microsoft Exchange Server Vulnerability was compromised. This incident was part of a global cyberattack frenzy targeting the zero-day exploit before Microsoft responded with a patch release.

WA Parliament says no data was lost and its network remained protected during the cyber attack that occurred in the middle of the state election.

The attack itself left Parliament without the use of its email platform for 19 hours as it worked on a fix.

Nine Entertainment Co: March 2021

The media report on cyber attacks almost every week. But this time the hack hit inside the house, knocking one of Australia’s biggest media companies, Nine Entertainment, off air in Sydney in March.

The attack on Nine (which owns Pedestrian Group, publisher of Gizmodo Australia), bears all the hallmarks of ransomware – where criminals encrypt a computer’s data to make it inaccessible and then demand money to unlock it. Only there had been no such demands.

Nine immediately began working with the ACSC on the incident.

TPG Telecom: March 2021

TPG Telecom confirmed that data freely available to download on the dark web in May belonged to one of its customers, following a cybersecurity breach of TPG’s servers in April.

According to the Australian Financial Review, the 5GB download came from one of the customers of TPG’s TrustedCloud service, a cloud-hosting service which the company was already in the process of decommissioning when it was hacked on April 25.

UnitingCare Queensland: April 2021

UnitingCare Queensland, an organisation providing aged care, disability supports, health care and crisis response services throughout the state, fell victim to an attack on April 25, 2021.

UnitingCare Queensland named REvil/Sodin as the gang behind the attack.

The REvil (Sodinokibi) ransomware gang has been active for quite a while, dwarfing any other similar ransomware operations. Run as a Ransomware-as-a-Service (RaaS), the REvil gang rents its ransomware strain to other criminal groups.

The figure demanded of UnitingCare has not been disclosed, but it was reported in March that Taiwanese giant Acer was struck by REvil ransomware, with the culprits demanding $50 million from the company, which is one of the largest sums demanded from data breaches in 2021.

Swinburne University: April 2021

Swinburne University of Technology in early April confirmed personal information on staff, students and external parties had inadvertently made its way into the wild.

The information caught up in the incident included names, email addresses and phone numbers of around 5,200 Swinburne staff and 100 Swinburne students.

This data, Swinburne said, was event registration information from multiple events from 2013 onwards. The event registration webpage is no longer available. In apologising for the incident, Swinburne said it took immediate action to investigate and respond, including removing the information and conducting an audit across other similar sites.

Sunwater: August 2020 – May 2021

Queensland’s largest regional water supplier, Sunwater, was targeted by hackers in one of the longest running data breaches of 2021 that actually went undetected for nine months. While this incident occurred between August 2020 and May 2021, it only came to light last month.

The incident involved unauthorised access to Sunwater’s web server that stored customer information. A Sunwater spokesperson told the ABC no financial or customer data had been compromised and immediate steps had been taken to improve security once the unauthorised access to an online content management system was detected.

Sunwater admitted the cyber breach after the tabling of a Queensland’s Audit Office report into the state’s water authorities, which mentioned the incident but did not say which authority was targeted. Yikes.

JBS USA (and Australia): May 2021

United States-based food processing company JBS USA fell victim to a cyber attack at the end of May, with the aftermath of one of the biggest data breaches of 2021 affecting its North American and Australian systems. The company supplies approximately one-fifth of meat globally. Yuck.

The attack was also pinned on REvil.

JBS paid the ransomware hackers who breached its computer networks about $15 million in bitcoin. In a statement, JBS indicated that while it was able to get most of its systems running without REvil’s help, it chose to pay to keep its files safe.

Other data breaches affecting Australians in 2021

While this list is purely focused on Australian companies/organisations, there was also a number of data breaches in 2021 that affected Australians. Some of the big ones included:

  • LinkedIn: Data associated with 700 million LinkedIn users was posted for sale in a Dark Web forum on June 2021. This exposure impacted 92 per cent of the total LinkedIn user base of 756 million users.
  • Facebook: Data from a 2019 attack made its way into the wild this year – 533 million records.
  • Socialarks: This rapidly growing Chinese social media agency suffered a monumental data leak in 2021 through its unsecured ElasticSearch database. The breached database stored the scraped data of over 200 million Facebook, Instagram, and Linkedin users.
  • Twitch: The Amazon-owned company suffered a breach of almost its entire code base. The exact impact of one of the most publicised data breaches in 2021 hasn’t been confirmed, but given its depth of compromise, it has the potential of impacting all of Twitch’s users. 125GB of sensitive data was posted via a torrent link on the anonymous forum 4chan.
  • Pixlr: A database of 1.9 million user records belonging to online photo-editor Pixlr was dumped on a dark web hacker forum by notorious cybercriminal ShinyHunters.
  • GoDaddy: Last month, website hosting service GoDaddy announced via a filing with the United States Securities and Exchange Commission that up to 1.2 million accounts had been exposed in a breach, marking one of the last data breaches to occur in 2021.

The second half of 2021 was suspiciously quiet where data breaches or confirmed ransomware attacks were concerned. So we’ll update this article if we learn more (or realise there was something we missed!).