Coles, Westpac, AMP and Department of Defence caught up in 'significant' data breach of Finite Recruitment - ABC News
Coles, Westpac, AMP and Department of Defence caught up in 'significant' data breach of Finite Recruitment
Story Lab / By Simon Elvery, Emily Sakzewski, and Matt Liddy
Posted Fri 17 Dec 2021 at 7:21pmFriday 17 Dec 2021 at 7:21pm, updated Tue 21 Dec 2021 at 6:01amTuesday 21 Dec 2021 at 6:01am
Composite of Westpac, Coles, AMP and Parliament House
Coles, Westpac, AMP as well as several federal government departments have been caught up in a ransomware attack on Finite Recruitment.(ABC)
Help keep family & friends informed by sharing this article
COPY LINK
SHARE
The personal details of job applicants and staff at a range of major Australian companies and government agencies have potentially been exposed in a "significant" data breach and extortion attempt against Australian recruitment company Finite.
Key points:
The group responsible for hacking Finite Recruitment, Conti, was also behind a recent cyber attack on South Australian government employees
Conti claims to have stolen more than 300 gigabytes of data in this attack
Cyber experts say the group is ruthless, sophisticated and becoming more brazen
Hackers have accessed and released sensitive data that includes resumes, offers of employment, contracts, timesheets and vaccine certificates, with the likely goal of extracting a ransom.
Finite has a long list of major Australian clients, including Coles, Westpac, AMP and the departments of Defence, Health and Home Affairs.
Conti — the same hacking group responsible for the data breach affecting up to 80,000 South Australian government employees disclosed last week — has so far released more than 12,000 files and is threatening to publish more.
A notice posted on the hacking group's website, designed to extract a ransom payment, claims more than 300 gigabytes of data has been stolen, including financials, contracts, customer databases, phone numbers, addresses, passports and a variety of other sensitive personal information.
Screenshot of a threatening message by hackers saying more than 300GB of information will be posted
Russian hackers threaten to release personal information about Australian workers after it hit recruitment company Finite in a ransomware attack.(ABC News)
Finite Recruitment said in a statement sent to the ABC that the data "relates to a one-off cyber incident that occurred back in October", adding that the incident was still being investigated and affected parties would be notified when the investigation concluded.
"We are aware that a small subset of Finite Group's data has been downloaded and published on the dark web," the statement said.
An Australian Cyber Security Centre profile of the hacking group notes that "leaked information is hosted on The Onion Router (TOR) network, enabling greater anonymity to Conti threat actors hosting illicitly obtained material".
However, the group appears to have more recently been posting leaked data on a regular website available to all internet users. The ABC was able to view and access leaked files using a standard web browser.
The data already released includes the personal details of Australians who have sought employment through the firm, including resumes, salary information, reference checks, criminal history checks and visa checks.
What organisations are affected?
A long list of businesses, banks and government agencies were caught up in the leak by way of their ties with Finite, including Westpac, ME Bank, Coles, Adairs, AMP, Suez Australia, NBN Co and the departments of Defence, Home Affairs and Health.
Some of Finite Recruitment's clients contacted by the ABC said they were aware of the leak, while others had not been notified.
A federal health spokesperson said the department used a range of hire firms, including Finite Group APAC Pty Ltd, but did not share "any sensitive or classified data" with those providers.
"The department has not received any correspondence from Finite Group APAC Pty Ltd regarding any security breach or data loss," a spokesperson said.
Coles — which has a service agreement with Finite Recruitment and was listed in the leaked documents — said it was conducting its own investigations into the breach.
"We have engaged directly with Finite to understand what steps they are taking to investigate the incident and to secure their systems, and to assess any impact to Coles contractors or team members," a Coles spokesperson said.
Australian National University — which was also listed in the breach — said in a statement that it had not been informed of this data breach, but added there was nothing to suggest its systems were currently under threat.
The ABC also contacted the departments of Defence and Home Affairs, but neither was able to respond in time for initial publication.
A spokesperson for the Department of Home Affairs later told the ABC it did not share sensitive classified data with recruitment providers, that it had strong security settings in place, and had not been impacted by this data breach.
A Defence spokesperson said the department was aware of the incident and working with FinXL to manage Defence’s equities.
"There was no impact to Defence networks [and] Defence does not share any sensitive classified data with recruitment providers," the spokesperson said.
The ABC has also reached out to Downer, IBM, AMP, Hostplus and the Australian Cyber Security Centre for comment.
Who is Conti and what do they want?
Conti is a Russian-based criminal organisation behind ransomware technologies. In short, they're after money.
Canberra-based cyber security researcher Robert Potter says Conti is a highly professionalised hacking group which uses a variety of well-known tools to gain access to its target's networks before stealing data and seeking a ransom.
Ransomware attacks work by encrypting victims' data, rendering it inaccessible. Groups will then offer to sell the victim a decryption key to re-access that data.
If the victim doesn't give in to the attackers' demands, they can permanently lose access to the data.
Conti affiliates are also known to use a technique known as "double-extortion", which involves threatening to release the stolen data unless payment is made.
Mr Potter said the group was becoming more brazen and was quite open about who they have targeted in recent times.
He said Conti was increasingly ideological, sometimes using Russian foreign policy talking points, suggesting this might be a tactic to appeal to the people who provide them protection.
"Conti are doing a roaring trade, they're not subtle," Mr Potter said.
Conti attacks have made headlines before for targeting high-profile organisations, demanding large amounts of money as ransom in exchange for agreeing not to publish full data leaks.
ProDraft — a cyber security and intelligence company that monitors incidents of potential cybercrime — said, that since 2020, it had seen data from 567 different companies shared on Conti's extortion site. ProDraft also says its teams have noticed a recent surge in Conti attacks.
"Conti has shown itself to be a particularly ruthless group, indiscriminately targeting hospitals, emergency service providers and police dispatchers," the report said.
How much money do they make?
Conti is also offered as a Ransomware-as-a-Service (RaaS). This allows affiliates to use the ransomware as they want, as long as a percentage of the ransom payment is shared with the Conti operators as commission.
Research carried out by ProDraft found that, since July 2021, Conti has received more than 500 bitcoin in ransomware payments which, at the time of writing, was worth $32.8 million.
According to Mr Potter, Conti is sophisticated enough that they take an "almost actuarial approach" to determining ransom amounts, even targeting a dollar value close to what they think an organisation's insurance will cover.
Mr Potter said most Australian organisations hit by ransomware attacks did not pay up, which is the right move.
However, he was aware of at least one large ransom payment from an Australian-based organisation targeted by Conti.
Story Lab / By Simon Elvery, Emily Sakzewski, and Matt Liddy
Posted Fri 17 Dec 2021 at 7:21pmFriday 17 Dec 2021 at 7:21pm, updated Tue 21 Dec 2021 at 6:01amTuesday 21 Dec 2021 at 6:01am
Composite of Westpac, Coles, AMP and Parliament House
Coles, Westpac, AMP as well as several federal government departments have been caught up in a ransomware attack on Finite Recruitment.(ABC)
Help keep family & friends informed by sharing this article
COPY LINK
SHARE
The personal details of job applicants and staff at a range of major Australian companies and government agencies have potentially been exposed in a "significant" data breach and extortion attempt against Australian recruitment company Finite.
Key points:
The group responsible for hacking Finite Recruitment, Conti, was also behind a recent cyber attack on South Australian government employees
Conti claims to have stolen more than 300 gigabytes of data in this attack
Cyber experts say the group is ruthless, sophisticated and becoming more brazen
Hackers have accessed and released sensitive data that includes resumes, offers of employment, contracts, timesheets and vaccine certificates, with the likely goal of extracting a ransom.
Finite has a long list of major Australian clients, including Coles, Westpac, AMP and the departments of Defence, Health and Home Affairs.
Conti — the same hacking group responsible for the data breach affecting up to 80,000 South Australian government employees disclosed last week — has so far released more than 12,000 files and is threatening to publish more.
A notice posted on the hacking group's website, designed to extract a ransom payment, claims more than 300 gigabytes of data has been stolen, including financials, contracts, customer databases, phone numbers, addresses, passports and a variety of other sensitive personal information.
Screenshot of a threatening message by hackers saying more than 300GB of information will be posted
Russian hackers threaten to release personal information about Australian workers after it hit recruitment company Finite in a ransomware attack.(ABC News)
Finite Recruitment said in a statement sent to the ABC that the data "relates to a one-off cyber incident that occurred back in October", adding that the incident was still being investigated and affected parties would be notified when the investigation concluded.
"We are aware that a small subset of Finite Group's data has been downloaded and published on the dark web," the statement said.
An Australian Cyber Security Centre profile of the hacking group notes that "leaked information is hosted on The Onion Router (TOR) network, enabling greater anonymity to Conti threat actors hosting illicitly obtained material".
However, the group appears to have more recently been posting leaked data on a regular website available to all internet users. The ABC was able to view and access leaked files using a standard web browser.
The data already released includes the personal details of Australians who have sought employment through the firm, including resumes, salary information, reference checks, criminal history checks and visa checks.
What organisations are affected?
A long list of businesses, banks and government agencies were caught up in the leak by way of their ties with Finite, including Westpac, ME Bank, Coles, Adairs, AMP, Suez Australia, NBN Co and the departments of Defence, Home Affairs and Health.
Some of Finite Recruitment's clients contacted by the ABC said they were aware of the leak, while others had not been notified.
A federal health spokesperson said the department used a range of hire firms, including Finite Group APAC Pty Ltd, but did not share "any sensitive or classified data" with those providers.
"The department has not received any correspondence from Finite Group APAC Pty Ltd regarding any security breach or data loss," a spokesperson said.
Coles — which has a service agreement with Finite Recruitment and was listed in the leaked documents — said it was conducting its own investigations into the breach.
"We have engaged directly with Finite to understand what steps they are taking to investigate the incident and to secure their systems, and to assess any impact to Coles contractors or team members," a Coles spokesperson said.
Australian National University — which was also listed in the breach — said in a statement that it had not been informed of this data breach, but added there was nothing to suggest its systems were currently under threat.
The ABC also contacted the departments of Defence and Home Affairs, but neither was able to respond in time for initial publication.
A spokesperson for the Department of Home Affairs later told the ABC it did not share sensitive classified data with recruitment providers, that it had strong security settings in place, and had not been impacted by this data breach.
A Defence spokesperson said the department was aware of the incident and working with FinXL to manage Defence’s equities.
"There was no impact to Defence networks [and] Defence does not share any sensitive classified data with recruitment providers," the spokesperson said.
The ABC has also reached out to Downer, IBM, AMP, Hostplus and the Australian Cyber Security Centre for comment.
Who is Conti and what do they want?
Conti is a Russian-based criminal organisation behind ransomware technologies. In short, they're after money.
Canberra-based cyber security researcher Robert Potter says Conti is a highly professionalised hacking group which uses a variety of well-known tools to gain access to its target's networks before stealing data and seeking a ransom.
Ransomware attacks work by encrypting victims' data, rendering it inaccessible. Groups will then offer to sell the victim a decryption key to re-access that data.
If the victim doesn't give in to the attackers' demands, they can permanently lose access to the data.
Conti affiliates are also known to use a technique known as "double-extortion", which involves threatening to release the stolen data unless payment is made.
Mr Potter said the group was becoming more brazen and was quite open about who they have targeted in recent times.
He said Conti was increasingly ideological, sometimes using Russian foreign policy talking points, suggesting this might be a tactic to appeal to the people who provide them protection.
"Conti are doing a roaring trade, they're not subtle," Mr Potter said.
Conti attacks have made headlines before for targeting high-profile organisations, demanding large amounts of money as ransom in exchange for agreeing not to publish full data leaks.
ProDraft — a cyber security and intelligence company that monitors incidents of potential cybercrime — said, that since 2020, it had seen data from 567 different companies shared on Conti's extortion site. ProDraft also says its teams have noticed a recent surge in Conti attacks.
"Conti has shown itself to be a particularly ruthless group, indiscriminately targeting hospitals, emergency service providers and police dispatchers," the report said.
How much money do they make?
Conti is also offered as a Ransomware-as-a-Service (RaaS). This allows affiliates to use the ransomware as they want, as long as a percentage of the ransom payment is shared with the Conti operators as commission.
Research carried out by ProDraft found that, since July 2021, Conti has received more than 500 bitcoin in ransomware payments which, at the time of writing, was worth $32.8 million.
According to Mr Potter, Conti is sophisticated enough that they take an "almost actuarial approach" to determining ransom amounts, even targeting a dollar value close to what they think an organisation's insurance will cover.
Mr Potter said most Australian organisations hit by ransomware attacks did not pay up, which is the right move.
However, he was aware of at least one large ransom payment from an Australian-based organisation targeted by Conti.