SA government data breach due to Frontier Software ransomware attack

The data breach impacted South Australian government employees after the Frontier Software ransomware attack

Data of South Australian government employees potentially exposed. Up to 80 000 exposed

Up to 80 000 Australian government employees were affected by the data breach. At least 38 0000 people have their data accessed, but the rest can be exposed too.^[1] The information related to sensitive details got exposed due to the ransomware attack that infected the system of an external payroll software provider last month, according to South Australia's Treasurer Rob Lucas.

Frontier Software suffered the ransomware attack back in November.^[2] The company stated that the incident did not affect client systems via their products and that the particular data exfiltration affected the particular segment.^[3] Their statement claims that there is no evidence that data got compromised or exfiltrated outside of this segment.

The ongoing forensic investigation and other response activities conducted by Frontier Software and CyberCX has now confirmed evidence of some data exfiltration from Frontier Software’s internal Australian corporate environment.

Personally identifiable details about government employees exposed

The information accessed and possibly exfiltrated during the security incident includes names, date of birth, tax file numbers, home address, bank account details, employment start date, payroll period, remuneration, tax withheld, payment type, lump-sum payment type, and amounts, superannuation contribution, reportable fringe benefits tax amount. The only department not affected remained the Department of Education because this public entity is not using Frontier products.^[4]

The issue with such information going public is the possible risk of secondary attacks, malware infiltrations, and even identity or money theft. The amount of potentially affected people is huge, and having such detail exposed can create major consequences. Having information like bank account or credit card details does not lead straight to accessing the bank account and funds, but such information can be helpful while attackers try to crack a code in terms of passwords and login information.

The state government officials should take precautionary measures and all possible steps to review the incident and prevent such events in the future. Employees impacted are warned about emails, calls, SMS, and other possible threatening messages. Resetting passwords and activating two-factor authentication are advised.

Conti ransomware responsible for the breach

Frontier Software was attacked back on November 13, and customers received cyber incident alerts on November 16th. According to software developers, the system was fully restored a day after – on November 17. Announcements of the data breach related to this security incident got reported a few days after the statement with the determination that Conti ransomware^[5] was behind the breach. The ransomware as a service operation is a known and powerful threat active for years already.

People responsible for the distribution manage to evade prosecution even when some high-profile victims suffer these ransom-demanding attacks. The group of criminals responsible for the Conti file virus made headlines for abusing the newly revived Emotet Trojan that came back stronger than before and can lead to a new wave of major ransomware attacks.

With the 80 000 potentially affected people, this is not the biggest breach in Australia. Tasmanian Ambulance suffered a breach at the start of this year when every resident requested an ambulance between November 2020 and January 2021. In February, a cyber attack on Oxfam Australia investigated the incident that impacted the information of 1.7 million supporters. There is a full list of these security incidents affecting Australia this year,^[6] and it seems that cybercriminals target people and entities all over the world.