Cleaning and Catering Business Spotless Hit by a Severe Data Breach
The Amount of Information Involved in the Data Breach Indicated the Attackers Had Got Into the Company’s HR Files.
Spotless Group, the Downer-owned facilities services provider, is a high-profile Australian company that recently disclosed it suffered a severe data breach which has revealed its employees’ personal information.
Spotless Group Holdings is an Australian-listed company that provides Integrated facility services in Australia and New Zealand through several in-house brands. The company was formed in 1957, and currently employs more than 36,000 people, acquisitions have been an important driver of growth throughout its history.
The organization declared that attackers may have acquired past and present staff members’ passports and IRD numbers, names, phone numbers, and residential addresses.
Data Breach Might Lead To Identity Theft
It is believed by the internet specialists that the potential leak might have been a serious source of personal information that could lead to identity theft.
The affected employees were announced of the data breach by email on Thursday. Following the received email, one worried person had her credit cards changed. She also expressed concern over her colleagues who might not understand or even have access to email to receive the message.
The amount of data involved suggested the hackers had got into the business’s HR files, Netsafe chief executive Martin Cocker declared. Cybercriminals might use that data to apply for credit and services thanks to victims’ stolen identities.
There is a high risk to the subjects of the attack of future identity theft. If they have taken that much personal data, it is a pretty high risk to the individual, so we would suggest people go through a process of trying to reduce that risk.
Internet law expert Rick Shera stated it unquestionably qualified as a privacy breach, “and given the type of information involved and the number of people involved it would be classed a serious breach, there wouldn’t be any doubt about that.”
He added – “depending on if the data had been encrypted, or whether it had been stolen, but “that level of information is clearly information that could be used by someone to impersonate an individual”.
Having a passport and IRD numbers could allow a cybercriminal to secure a RealMe account, the internet ID that allows them to access multiple online services with one username and password. Shera urges the affected people to cancel their passports.
In December 2020, the company disclosed it has been the victim of a cyberattack, but at the time being they didn’t know if any information has been stolen.
The Attack Involved Ransomware
Spotless also confirmed it had been hit by a ransomware attack where threat actors infiltrate an IT system then ask for money. The company immediately hired cybersecurity specialists to investigate the incident and analysis showed personal data might have been accessed.
The organization had announced government cyber-security bodies in Australia and New Zealand, the Privacy Commissioner, and the Australian Information Commissioner of the data breach, this way respecting their obligations under privacy laws.
Regarding the employees, they received from the company an information sheet named “Steps you can take to protect against potential data misuse” and have been offered a freephone hotline number available during business hours.
Asked if Spotless would compensate the victims, and whether it felt an email was enough to reach all staff, Helene Toury, Spotless’ general manager of reputation and business excellence replied: “rest assure[d] that we have taken reasonable steps to notify all the affected individuals. We have set up a call center and email address that affected individuals can contact us if they have any queries, details of which are in the notification.”