Current and former Australian employees of security firm G4S have been told to be on alert after personal information – including tax file numbers, bank account information and medical checks – was stolen and posted online in a ransomware attack.
It is one of at least three further data breaches to be disclosed in Australia this week after the massive Optus cyber hack. It follows government plans to reform cybersecurity laws and seek higher penalties under the Privacy Act.
G4S provides services for prisons across Australia and, previously, the federal government’s offshore detention centre on Manus Island. It told current and former employees on Tuesday that it had been the subject of “a cyber incident” that gave an unauthorised third party, “or malware program”, access to G4S systems.
Guardian Australia understands the incident was a ransomware attack on Port Phillip prison which was reported by media in early July. In mid-September, G4S learned that some of the information had been posted online.
But the company only informed those affected about the extent of the attack and what documents had been compromised in an email on Tuesday.
The data obtained included employee names, addresses, dates of birth, contact details, police and medical checks, tax file numbers, bank account details, superannuation information, Medicare numbers and licence details. In some cases, payslips, health information shared with the company, and details about Workcover claims or incident reports were also compromised.
The company said the data was not easily accessible. It told employees it had taken action to prevent the third party continuing to access G4S systems and was working with the Australian Cyber Security Centre (ACSC).
Although the attack occurred at Port Phillip prison, the hacker was able to access the company’s entire network in Australia.
It is not clear how many staff were affected by the breach. G4S did not provide responses to specific questions about who was affected, instead saying the company was continuing “to work with impacted individuals to offer them full support”.
The company advised those affected on how to replace their identity documents but did not offer to pay for the replacements or provide credit monitoring. The company worked with IDCare to assist affected staff.
Guardian Australia was also alerted on Tuesday to another Optus-style data breach involving an employment agency. The breach was the result of a similar open application programming interface (API) to that believed to have been breached in the Optus attack. Personal documents such as photos of passport pages and Covid-19 vaccination certificates were accessible via the vulnerability.
Separately, photos of identity documents – including driver licences – of hundreds of thousands of the company’s clients were publicly available via Google image search results because users had uploaded their licences as their profile photo. The employment company has since acted to prevent users from uploading sensitive documents to profiles.
Jamieson O’Reilly, the founder of Sydney-based cybersecurity company Dvuln, discovered the issue while researching the Optus breach. O’Reilly reported it to the company which then closed access through the API. The incident was also reported to the ACSC.
Telstra suffered a breach of employee data on 27 September, Guardian Australia reported on Tuesday. The company on Saturday alerted staff that 30,000 names and work email addresses of current and former workers were posted online to the same website where the Optus data breach ransom threat was posted – and subsequently revoked.
The data dated back to 2017 and was from a third-party vendor Telstra had used for its employee rewards program.
Telstra no longer used the system and said only 12,800 of the 30,000 staff still worked for the company. It said it had reset the passwords for all users of its new rewards system.
A Telstra spokesperson said the company believed the party responsible for posting the data was seeking to profit from the attention on the Optus data breach, and no customer information was at risk.
Services Australia has begun sifting through the records of customers who had their Medicare cards exposed in the Optus data breach after Optus handed over the details to officials at 1am on Tuesday morning.
The federal government services minister, Bill Shorten, condemned Optus on Sunday for not having handed over the data, but Optus reportedly said the company was given until Tuesday to hand over the information.
“It’s now day 13 and I’m pleased that our Services Australia people were able to get data finally today,” Shorten said. “But I think Optus CEO, Optus senior management are kidding themselves if they want a medal for the way that they’ve been communicating. No one … even a crocodile, would swallow that.”
Optus refused interview requests with the CEO, Kelly Bayer Rosmarin, on Tuesday, however, she told Nine Entertainment that she sticks by her claim that the method of the data being extracted from the company was not “basic”.
The company has recruited Deloitte to conduct an external review into the circumstances of the breach but has indicated it will not release the findings publicly.
The prime minister, Anthony Albanese, said Optus had committed to paying to replace customers’ passports if their numbers were exposed in the breach, but customers have not been given clear information about how to proceed.
When asked about this on Tuesday, a spokesperson for Optus said the company was working with the government “on how we can support our current and former customers who have had their passport numbers or expired passport numbers compromised”.
• This article was amended on 5 October 2022 to specify that it was G4S’s Australian network affected, not its entire global network.
