New Data Leaks Add to Australia’s Data Security Reckoning

Personal data from MyDeal.com.au, a marketplace owned by Australia’s largest grocery chain Woolworths Group, has appeared for sale on a data leak forum.

See Also: Building a Secure IoT Deployment Using 5G Wireless WAN

That comes as wine retailer Vinomofo disclosed a breach on Monday and as the Optus telecommunications breach continues to fuel concerns over data security and if Australian data protection laws are adequate.

The 500-line sample data from MyDeal appears to be legitimate, says Troy Hunt, a data breach expert who created Have I Been Pwned, a service that notifies people when their email address has appeared in a new data breach.

MyDeal’s website will reveal if an email address is already in its system when trying to register a new account, Hunt says. Email addresses in the sample are registered with MyDeal.

An attacker, who goes by the nickname “Christian Dior,” is trying to sell the entire MyDeal data set for $600.

Woolworths Group, which owns MyDeal, disclosed on Friday that an attacker gained access to its customer relationship management system a using compromised login credential. CRM software is widely used amongst organisations to store and process user data.

Dior confirmed to ISMG that’s how he gained access to MyDeal. “Most of the access was gained from password reuse. They [MyDeal] didn’t even notice until we started [f***ing] with customers’ support tickets.”

Woolworths said 2.2 million people are affected. For 1.2 million people, only their email address was exposed. For the rest, names, email addresses, phone numbers, delivery addresses and sometimes birth dates were exposed. Woolworths said MyDeal does not store passport details, driver’s license numbers or payment information.

Dior told ISMG he sent an email to around a dozen people at MyDeal asking for $20,000 in exchange for deleting the data. Dior says he’s not sure if MyDeal responded, as he lost access to MyDeal’s systems a day later “while I was high on mushrooms.” Cybercriminals often try to extort organizations after stealing sensitive data with the promise that data will be deleted.

Dior published a screenshot that indicated access to MyDeal’s Atlassian Confluence server, which is a collaboration tool. The URL visible in the screenshot is mydeal.atlassian[dot]net. The screenshot shows a page open in MyDeal’s internal wiki that shows its cyber security and breach response policies.

Dior also shared screenshots with ISMG that have not publicly been released, including a network infrastructure map. That is too sensitive to post a screenshot, but it’s a complex diagram showing how MyDeal’s infrastructure is connected, from SaaS services to e-commerce systems to payments to development systems to the CRM system that was hacked.

Dior also said he accessed source code in MyDeal’s Bitbucket, which is a software platform for managing code development. He was also inside MyDeal’s Zendesk customer support system.

Australia’s Privacy Reckoning

The MyDeal development comes as an Australian wine retailer, Vinomofo, began notifying its customers around Monday of a data breach involving its customer database. According to a notification, Vinomofo says someone unlawfully accessed the database when it was connected to a testing platform.

Hunt says organizations often make the mistake of using real data within test environments, which can lead to trouble if there is a compromise.

Vinomofo didn’t say how many people are affected. It maintained the risk is low but that the compromised data includes name, gender, birth date, email and phone number. It says it reported the breach to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.

Although significant, the MyDeal and Vinomofo breaches follow what was perhaps the greatest privacy breach in Australian history involving Optus, the country’s second-largest telcommunications company.

An attacker, who went by the nickname “Optusdata,” accessed an internet-facing application programming interface that did not require authentication. It was connected to Optus’s customer database. The person subsequently downloaded around 10 million current and former customer records stretching back to 2017 (see Optus Under $1 Million Extortion Threat in Data Breach).

The person then tried to extort Optus for US$1 million. Two days later, Optusdata withdrew the demand, apologized for releasing data samples affecting 10,200 people and said the data would no longer be sold. Optus told ISMG the same day that it did not pay a ransom (see Optus Attacker Halts AU$1.5 Million Extortion Attempt
).

The Optus data breach was particularly sensitive. Around 2.8 million of the 10 million people had either their passport number or driver’s license number and driver’s license card number revealed or Medicare card number. Medicare is Australia’s national insurance scheme. That data was leaked in addition to name, address, phone number and birth date.

The incident caused fury amongst current and former Optus customers and unprecedented action from the government to blunt potential fraud as a result of the breach.

Lawmakers promptly amended the Telecommunications Regulations 2021 law to allow the sharing of information related to the Optus breach with financial institutions.

“These changes will reduce the impact of this data breach on Optus customers and enable financial institutions and government agencies to implement enhanced safeguards and monitoring, according to an advisory on Friday from the Australian Cyber and Infrastructure Security Centre.

The government also created the Commonwealth Credential Protection Register, which is intended to stop the fraudulent use of ID information. It added 100,000 compromised passport numbers exposed in the Optus breach to the register. Those numbers can now no longer be used used with the Document Verification Service (DVS).

The DVS is a government service that lets organizations verify whether certain identity data is correct. It can be used to check the veracity of 14 documents, including birth certificates, driver’s licenses and passport numbers. When entities registered with DVS request a check, DVS returns only a “yes” or “no” answer as to whether a document is correct.

In what may be a world-first, the Australian government also pressed Optus to reimburse people for fees incurred related to replacing their passports and driver’s licenses. For passports, those eligible must pay for replacement up front, however, then apply for reimbursement from Optus.

Optus will apply a credit to customers’ bill to cover the cost of a replacement driver’s license, but it depends on the state or territory. Some states and territories are initially waiving the costing of replacement due to the breach. Optus has more information here.

The government’s pressure on Optus to reimburse those affected by the breach is striking and could send a message of increasing intolerance for data breaches and increasing immediate costs for those at the source of them. Consumer may often wait years to see any compensation from class-action lawsuits as a result of a breach. Those lawsuits may drag through the courts for years before they’re settled.

The government is also considering strengthening privacy laws to create higher penalties for those found to have violated the country’s Privacy Act. Each violation can merit a fine up to AU$2.2 million (US$1.38 million), but the minster for Home Affairs and Cyber Security, Claire O’Neil, has said that figure is “totally inappropriate.”

There are several investigations underway into the Optus breach, including by the Office of the Australian Information Commissioner and the Australian Communications Media Authority.