NewsBite

Advertisement

This was published 7 months ago

Mortgage lender suffers hack, credit card details published on dark web

By David Swan

Non-bank mortgage lender Firstmac has suffered a cyberattack, with customer details including credit card and passport numbers, Medicare numbers and driver’s licence details stolen and published on the dark web.

The Brisbane-based firm, which is one of Australia’s largest non-bank lenders, told its customers in a letter that an unauthorised third-party had successfully infiltrated its information technology systems.

Firstmac customers are only now learning of their data being breached, weeks after the Brisbane-based lender was hacked.

Firstmac customers are only now learning of their data being breached, weeks after the Brisbane-based lender was hacked.Credit: Getty

“Unfortunately, our ongoing investigation has identified evidence that some personal information of some of our customers has been accessed,” the company said in the message.

“We are notifying all impacted individuals directly and providing steps that they can take to protect themselves from scams or phishing attempts, in line with our regulatory obligations … We have also notified the relevant authorities of this incident and are continuing to update them on any developments in our investigation.”

The hackers behind the attack have posted a large amount of the data on the dark web, according to technology industry publication Cyberdaily, which said ransomware gang EMBARGO had taken credit for the hack – which occurred some time in April.

According to the report, the gang had given Firstmac a ransom deadline of May 8, which it seemingly failed to meet.

Cyberdaily posted screenshots from EMBARGO’s dark website showing customer addresses, loan and financial details along with email addresses. The gang also published the emails and phone numbers of several of Firstmac’s executive and IT teams.

It is unclear how many customers and employees have been caught up in the breach. Firstmac was contacted for further comment.

Advertisement

The company said it had engaged IDCARE, Australia’s national identity and cyber support community service, to help its customers.

Loading

“IDCARE’s services are available to impacted customers at no cost and their expert Case Managers can help address our customers’ concerns about potential misuse of their personal information.

“Our systems are running as normal, we remain fully operational, and our business operations have not been impacted by this cyber incident. There is no evidence of any impact to customers’ accounts and our customers’ funds are safe.”

The breach is the latest cybersecurity incident to affect a high-profile Australian organisation, with cyberattacks on the rise.

According to the Australian Signals Directorate, a federal government agency responsible for information security, more than 127,000 hacks against Australian servers were recorded in the 2022-23 financial year, an increase of more than 300 per cent on the year-earlier period.

Late last year, researchers discovered a data breach impacting Melbourne travel agency Inspiring Vacations, in which a non-password protected database containing about 112,000 records totalling 26.8 gigabytes of data was leaked online.

Cybersecurity Minister Clare O’Neil: “Every time a ransom is paid, we are feeding the cybercrime problem.”

Cybersecurity Minister Clare O’Neil: “Every time a ransom is paid, we are feeding the cybercrime problem.”Credit: Alex Ellinghausen

Tens of millions of Australians have been caught up in recent security breaches, including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World and Dymocks, in what is being dubbed a “new normal” of consistent attacks and leaks.

The Optus breach, in particular, led to new legislation significantly increasing penalties for serious or repeated breaches of customer data. Organisations that fail to adequately protect peoples’ data face fines of $50 million or more.

“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” Attorney-General Mark Dreyfus said when introducing the legislation.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”

Loading

Australia late last year dropped plans to ban companies from making ransomware payments, instead opting to introduce mandatory reporting obligations.

Recent research from IT firm Cohesity found that 92 per cent of Australian IT executives said their company would pay a ransom to recover data and restore business processes, while 6 per cent said “maybe, depending on the ransom amount”.

Almost two in three said their company would be willing to pay more than $US3 million to recover data and restore business processes, with 27 per cent of respondents saying their company would be willing to pay over $US5 million.

“Every time a ransom is paid, we are feeding the cybercrime problem,” Cybersecurity Minister Clare O’Neil said in November.

“Now, we are in a situation in our country where it is clearly not the right time at this moment to ban ransoms, and that’s because we haven’t done the hard work.”

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Technology

Loading

Original URL: https://www.smh.com.au/technology/mortgage-lender-suffers-hack-credit-card-details-published-on-dark-web-20240514-p5jdht.html