Secure document storage and records lifecycle solutions provider ZircoDATA has been hit by the Black Basta ransomware gang, with the company saying it had noticed unauthorised access of its servers ion 28 February.
The breach appears to have exposed thousands of records of victims of family violence and sexual assault as also the personal information of about 60,000 former and current students of Melbourne Polytechnic.
Like all ransomware gangs, Black Basta only attacks systems running Microsoft's Windows operating system. Somewhat ironically, ZircoDATA advertises what it terms "versatile shredding services for your unique security needs".
While Australia's recently appointed national cyber security co-ordinator Lieutenant-General Michelle McGuinness released a long statement on X on Friday about the breach, she did not give any reason as to why it was being disclosed only after more than two months.
{loadposition sam08}McGuinness is the second person to occupy this post, the first, Air Marshall Darren Goldie, is on leave and being investigated over what has been referred to as a “workplace matter” while serving in the air force.
He was moved a few days before the Federal Government was due to release a new cyber security strategy. Goldie was recalled to the Defence Department to face possible action under the Australian Defence Force’s disciplinary processes on 15 November 2023.
Some of thr shredding services offered by ZircoDATA. Screenshot from company's website
Black Basta has released a list of documents which are among those purloined during the attack. The gang claims to have stolen 395GB of data, including documents relating to finance, IT, public, RM/RM Corp, personal users folders, and documents which were confidential and subject to non-disclosure.
It provided a list of files from ZircoDATA's Windows systems and also screenshots of passports and driving licences, A copy of a confidentiality and non-disclosure deed from a legal firm is among the files released on the dark web
In a statement issued on 29 February, ZircoDATA said: "On 8 February 2024, we became aware that an unauthorised third party accessed our system and encrypted some files. Working with our cyber security experts, we took immediate steps to contain the situation, restore from back-ups and investigate the incident.
"While since this time we have not identified any further unauthorised access, on 22 February 2024, our team identified an allegation on the dark web that some of our data has been stolen. We have been urgently investigating this allegation with the assistance of our experts.
"At this stage, our investigation has not identified any evidence suggesting that personal information relating to our customers (or their customers) has been impacted. Please understand that the investigation is ongoing.
"We have reported the incident to the Australian Cyber Security Centre, the Australian Federal Police and the Office of the Australian Information Commissioner.
"If you provided services to or received services from Birch Creek Hill Investments and/or any of its related businesses prior to 2022, and disclosed identification documents, we ask that you please contact us at services@zircodata.com.au
"This way we can assess whether you are impacted and advise on recommend steps to mitigate the risk of misuse of your personal information."
A part of the Black Basta post about the breach. Screenshot by Sam Varghese
In a statement on X (formerly Twitter), McGuinness said: "The National Office of Cyber Security has been co-ordinating a response from the Australian Government, states and territories to a cyber incident that impacted ZircoDATA in February.
"ZircoDATA first publicly advised it had been impacted by a cyber incident in late February. Today, one of its impacted clients, Monash Health, has disclosed it has been affected by the incident.
"It is the responsibility of ZircoDATA to notify impacted clients, and the National Office of Cyber Security has been supporting it to do so.
"My team has been engaged with ZircoDATA on understanding and addressing the incident’s impacts since mid-March. The National Office of Cyber Security has been assisting ZircoDATA in ascertaining the full extent of the compromise and supporting both the organisation and its affected government clients to identify impacted victims and to meet their obligations to notify them.
"Monash Health has disclosed that a selection of its archived data, including very sensitive data from family violence and sexual assault support units dating from 1970 to 1993, has been exposed by the breach.
"This is a distressing development for those who have, or believe they may have, been impacted by this exposure. In particular, I want to acknowledge the impact this news will have on affected victim-survivors who had been supported by Monash Health’s services.
"We continue to work with our Victorian counterparts to ensure this group has as much support in place as possible.
"Assessing the full extent of the breach is a time-consuming process and ZircoDATA is still trying to determine the full list of affected persons and organisations. Disclosures occur once there is certainty around the information affected, the safety of victims, and readiness of support services.
"Our focus in this incident is supporting victims, and ensuring individuals who have had their information exposed are provided with the appropriate wraparound support services they need.
"While work is ongoing, it is clear this breach has also affected other government entities who are clients of ZircoDATA. The majority of these entities are still in the process of working with ZircoDATA to identify impacted data and any victims, and are yet to begin notifying impacted individuals. There are clear processes for ZircoDATA and the affected government entities to work through.
"The National Office of Cyber Security will continue to support affected government entities in working with ZircoDATA on the process of identifying victims and notifying them. The impact for most government entities is likely to be minimal."
Contacted for comment, Brett Callow, a seasoned ransomware researcher from the New Zealand-based security firm Emsisoft, said: "Too many companies claim to have ’no evidence’ that customer information was impacted, only to have to subsequently admit that it was.
"It’s a bad look for the companies concerned, and it’s unfair to the individuals concerned. It’d be far better if those companies simply said it was too early for them to be able to say. That way, people know where they stand."