Staff at security firm G4S on alert after tax numbers and bank details posted online following hack

Exclusive: Ransomware attack on Port Phillip prison revealed in July led to data being posted in mid-September with staff told details this week

Current and former Australian employees of security firm G4S have been told to be on alert after personal information – including tax file numbers, bank account information and medical checks – was stolen and posted online in a ransomware attack.

It is one of at least three further data breaches to be disclosed in Australia this week after the massive Optus cyber hack. It follows government plans to reform cybersecurity laws and seek higher penalties under the Privacy Act.

G4S provides services for prisons across Australia and, previously, the federal government’s offshore detention centre on Manus Island. It told current and former employees on Tuesday that it had been the subject of “a cyber incident” that gave an unauthorised third party, “or malware program”, access to G4S systems.

Guardian Australia understands the incident was a ransomware attack on Port Phillip prison which was reported by media in early July. In mid-September, G4S learned that some of the information had been posted online.

But the company only informed those affected about the extent of the attack and what documents had been compromised in an email on Tuesday.

The data obtained included employee names, addresses, dates of birth, contact details, police and medical checks, tax file numbers, bank account details, superannuation information, Medicare numbers and licence details. In some cases, payslips, health information shared with the company, and details about Workcover claims or incident reports were also compromised.

The company said the data was not easily accessible. It told employees it had taken action to prevent the third party continuing to access G4S systems and was working with the Australian Cyber Security Centre (ACSC).

Although the attack occurred at Port Phillip prison, the hacker was able to access the company’s entire network in Australia.

It is not clear how many staff were affected by the breach. G4S did not provide responses to specific questions about who was affected, instead saying the company was continuing “to work with impacted individuals to offer them full support”.

The company advised those affected on how to replace their identity documents but did not offer to pay for the replacements or provide credit monitoring. The company worked with IDCare to assist affected staff.

Guardian Australia was also alerted on Tuesday to another Optus-style data breach involving an employment agency. The breach was the result of a similar open application programming interface (API) to that believed to have been breached in the Optus attack. Personal documents such as photos of passport pages and Covid-19 vaccination certificates were accessible via the vulnerability.

Separately, photos of identity documents – including driver licences – of hundreds of thousands of the company’s clients were publicly available via Google image search results because users had uploaded their licences as their profile photo. The employment company has since acted to prevent users from uploading sensitive documents to profiles.

Jamieson O’Reilly, the founder of Sydney-based cybersecurity company Dvuln, discovered the issue while researching the Optus breach. O’Reilly reported it to the company which then closed access through the API. The incident was also reported to the ACSC.

Telstra suffered a breach of employee data on 27 September, Guardian Australia reported on Tuesday. The company on Saturday alerted staff that 30,000 names and work email addresses of current and former workers were posted online to the same website where the Optus data breach ransom threat was posted – and subsequently revoked.

The data dated back to 2017 and was from a third-party vendor Telstra had used for its employee rewards program.

Telstra no longer used the system and said only 12,800 of the 30,000 staff still worked for the company. It said it had reset the passwords for all users of its new rewards system.

A Telstra spokesperson said the company believed the party responsible for posting the data was seeking to profit from the attention on the Optus data breach, and no customer information was at risk.

Services Australia has begun sifting through the records of customers who had their Medicare cards exposed in the Optus data breach after Optus handed over the details to officials at 1am on Tuesday morning.

The federal government services minister, Bill Shorten, condemned Optus on Sunday for not having handed over the data, but Optus reportedly said the company was given until Tuesday to hand over the information.

“It’s now day 13 and I’m pleased that our Services Australia people were able to get data finally today,” Shorten said. “But I think Optus CEO, Optus senior management are kidding themselves if they want a medal for the way that they’ve been communicating. No one … even a crocodile, would swallow that.”

Optus refused interview requests with the CEO, Kelly Bayer Rosmarin, on Tuesday, however, she told Nine Entertainment that she sticks by her claim that the method of the data being extracted from the company was not “basic”.

The company has recruited Deloitte to conduct an external review into the circumstances of the breach but has indicated it will not release the findings publicly.

The prime minister, Anthony Albanese, said Optus had committed to paying to replace customers’ passports if their numbers were exposed in the breach, but customers have not been given clear information about how to proceed.

When asked about this on Tuesday, a spokesperson for Optus said the company was working with the government “on how we can support our current and former customers who have had their passport numbers or expired passport numbers compromised”.

• This article was amended on 5 October 2022 to specify that it was G4S’s Australian network affected, not its entire global network.


Josh Taylor

The GuardianTramp

Related Content

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM

Article image
AFP investigates $1m ransom demand posted online for allegedly hacked Optus data
Attorney general Mark Dreyfus has been briefed by the privacy commissioner about hack and is seeking ‘urgent’ meeting with telco

Royce Kurmelovs

24, Sep, 2022 @7:20 AM

Article image
5G in Australia: getting up to speed with the future of mobile
As the super-fast network is rolled out across the country, we look at how much it will cost, when you can get it and what it means for the NBN – and your health

Josh Taylor

27, Jul, 2019 @10:00 PM

Article image
Australians increasingly concerned about online privacy after high-profile cybersecurity breaches
After massive hacks at Optus and Medibank, survey from information commissioner finds three-quarters of people feel data breaches are among biggest risk to privacy

Josh Taylor

07, Aug, 2023 @3:00 PM

Article image
Judge blocks Telstra and TPG deal to share regional mobile networks
The two telcos had hoped to increase coverage in remote areas but tribunal rules it would harm competition

Josh Taylor

21, Jun, 2023 @4:41 AM

Article image
TPG offers to pay $5m for overpromising NBN speeds after admitting breach of consumer law
Telco reaches agreement with ACCC to avoid contested hearing after 21,000 customers sold internet plans unable to hit top speeds

Josh Taylor

21, Sep, 2022 @8:22 AM

Article image
Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?
If you are an Optus customer, this is what you need to know

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Alleged Optus hacker apologises for data breach and drops ransom threat
Online account claims it published records of 10,000 customers and threatened to release more before change of heart

Josh Taylor and Ben Butler

27, Sep, 2022 @8:39 AM

Article image
Optus cyber-attack leaves customers feeling ‘powerless’ over risk of identity theft
Account holders say they are ‘angry’ personal data including addresses and phone numbers was exposed while some say they are yet to hear from telco

Royce Kurmelovs

23, Sep, 2022 @10:12 AM