August 2023 – Victorian businesses hit by notorious Russian hackers.

Source posted by the ABC News on 5th Sept 2023 @ 5:59pm and updated on the 6th at 9.16am.

Background

The Russian cybercriminal group AlphV, also known as BlackCat, has claimed responsibility for several attacks against Victorian companies,

• including pathology company TissuPath,
• real estate agency Barry Plant,
• Law firm Tisher Liner FC Law,
• and owner’s corporation service provider Strata Plan.

A massive 4.9 Terabytes of stolen data is being held hostage by the ransomware gang after it launched a string of attacks against Victorian businesses. Nearly 1 terabyte more than what it claimed during AlphV’s hack against law firm HWL Ebsworth in April.

Some of the above are refusing to negotiate. – leading the cyber criminals to allegedly “release the entire dataset”.

The group claimed to have: leaked email content, non-disclosure agreements, property applications, criminal records, passports, and IDs of Barry Plant's clients and employees. This real estate agency is purported to represent about 65% of the stolen data.

TissuPath and Strata Plan have also suffered purported leaks – totaling 446 gigabytes and 1.43 terabytes respectively – with AlphV claiming to have leaked medical records of TissuPath clients.

TissuPath expressly confirmed that a range of patient data had been exposed during the incident, including names, dates of birth, contact details, Medicare numbers, and private health insurance details.

According to the ABC the attacks apparently stem from a compromised 3rd-party Melbourne IT service provider. This was then followed by cyber-attacks on their customers which were TissuPath, Strata Plan, Legal, and Barry Plant R/E. The IT service provider notified its clients of the hack on 22nd Aug.

According to the IT service provider's managing director, the company was “not really aware” of what information had been compromised. “It’s not our data so we don’t know,” said the MD.

After hiring forensic cyber security specialists, the company regained control of its systems and further reported the data breach to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.

Lessons: ISO 27001 – Information Security Management System (ISMS) and Legislation updates coming.

• Your 3rd party IT service provider must be ISO27001 Certified and if not change.
• If you do not use a 3rd party IT service provider, your organisation needs to get ISO27001 certified itself.
• Legislation will be coming out like what has happened in the USA where a data breach has to be notified within 4 days otherwise massive fines will be applied to those that fail to do this.

How can I help?

Having gone through the ISO27001 Certification process I am well equipped to assist and advise you on getting this certification in place as your independent consultant.

There are many false steps that you do not want to take to expedite this ISO process to completion. Having a guide to assist will ensure you get this done within a reasonable timeframe and on budget.