Australian InfoSec Incident Report 2015 Summary

Australian Information Security Incident Reported: 2015

IS blamed for Sydney church website hack
A Sydney church website has been restored after it was hijacked with the message: “Hacked by Islamic State”.
Dec 03, 2015. Gemma Najem, AAP
Read more: http://www.news.com.au/national/breaking-news/is-appears-to-hack-sydney-church-website/news-story/acf76cdd1c1ec637d1ce4999110fcdf0

China blamed for ‘massive’ cyber attack on Bureau of Meteorology computer
China is being blamed for a major cyber attack on the computers at the Bureau of Meteorology, which has compromised sensitive systems across the Federal Government.
Dec 02, 2015. Chris Uhlmann, ABC
Read more: http://www.abc.net.au/news/2015-12-02/china-blamed-for-cyber-attack-on-bureau-of-meteorology/6993278

Queensland police officer suspended for computer hack
A north Queensland police officer allegedly failed to disclose a conflict of interest and retrieved confidential information from police computers.
Nov 25, 2015. AAP, Brisbane Times
Read more: http://www.smh.com.au/queensland/queensland-police-officer-suspended-for-computer-hack-20151129-glb4zt.html

Law student charged with hacking UQ to get better marks
The student allegedly used a staff ID card to break into a staff area and logged on to the private system to upgrade the marks on his papers ahead of graduation, according to News Corp.
Nov 30, 2015. AAP, SMH (Queensland)
Read more: http://www.brisbanetimes.com.au/queensland/law-student-charged-with-hacking-uq-to-get-better-marks-20151125-gl7ztf

Cherry Blooms Facebook account hacked
An Australian cosmetics company is warning fellow small businesses to be careful after its Facebook page was hacked.
Nov 19, 2015. Broede Carmody, Smart Company
Read more: http://www.smartcompany.com.au/finance/49126-cherry-blooms-facebook-account-hacked-don-t-think-you-are-not-at-risk.html

TAFE Queensland IT system hacked; personal details of thousands of students stolen
The personal details of thousands of TAFE Queensland students have been stolen in an IT system hack.
Nov 12, 2015. Jesse Dorsett, ABC
Read more: http://www.abc.net.au/news/2015-11-10/tafe-queensland-it-system-hacked-student-data-stolen/6926746

Essendon privacy lapse as personal contact information of prominent members is sent via email
THE personal contact information of Essendon’s most prominent and powerful supporters has been mistakenly emailed to more than 380 members of the club’s past players and officials association.
Nov 04, 2015. GRANT BAKER, Herald Sun
Read more: http://www.heraldsun.com.au/sport/afl/teams/essendon/essendon-privacy-lapse-as-personal-contact-information-of-prominent-members-is-sent-via-email/news-story/29719b7e9f5977b32db96007c8e34454

Aussie Farmers Direct hacked, user details posted online
Home delivered groceries business Aussie Farmers Direct has fallen victim to an attack on its systems which has seen the personal details of more than 5000 of its customers posted online.
Oct 30, 2015. Allie Coyne, itNews
Read more: http://www.itnews.com.au/news/aussie-farmers-direct-hacked-user-details-posted-online-411244

Hackers breach Australian clothing company Patagonia’s website, hundreds of customers’ bank details ‘at risk’
Hundreds of customers of outdoor clothing company Patagonia may have had their bank details stolen after hackers breached its Australian website.
Oct 27, 2015. Jake Sturmer, ABC
Read more: http://www.abc.net.au/news/2015-10-27/patagonia-website-hacked-600-customers-bank-details-at-risk/6888196

TeleChoice owns up to 2014 data breach
Telstra wholesale provider TeleChoice has agreed to pay for 12 months of credit monitoring for customers affected by a 2014 data breach.
Oct 27, 2015. Allie Coyne, itNews
Read more: http://www.itnews.com.au/news/telechoice-owns-up-to-2014-data-breach-411094

David Jones computer system hacked and customers’ private details stolen
Australian fashion retailer David Jones says its computer system has been hacked and the private details of some of its customers have been stolen by criminals.
Oct 02, 2015. Will Ockenden, ABC
Read more: http://www.abc.net.au/news/2015-10-02/david-jones-computer-system-hacked-customer-details-stolen/6824170

Kmart Australia customer details hacked
Kmart has employed IT forensic investigators after the personal details of its online customers were hacked.
Oct 01, 2015. MSN
Read more: http://www.msn.com/en-au/news/personalfinance/kmart-customer-details-hacked/ar-AAeYGmj

How an Aussie real estate software firm handled its first hack
Australian real estate software provider Inspect Real Estate recently fell victim to a phishing attack on its online tenancy system, but a lack of similar cases in the industry meant the firm was forced to essentially write the manual on dealing with a breach.
Oct 01, 2015. Allie Coyne, iTNews
Read more: http://www.itnews.com.au/news/how-an-aussie-real-estate-software-firm-handled-its-first-hack-412888

Global lingerie brand confirmed its Australian Facebook account has been hacke.
Global lingerie brand Simone Pérèle has confirmed its Australian Facebook account has been hacked.
Sep 21, 2015. Ragtrader
Read more: http://www.ragtrader.com.au/news/brand-locked-out-after-hack

Townsville adult store blackmailed by hackers
QUEENSLAND’S oldest sex shop has been held to ransom by hackers who infected the store’s computers, locking down all its files with a highly sophisticated malware.
Sep 21, 2015. CHRIS MCMAHON, Townsville Bulletin
Read more: http://www.couriermail.com.au/news/queensland/townsville-adult-store-blackmailed-by-hackers/news-story/003458924f285d9b2dcc30133d382fe5

Australia Disgruntled web developer hacks ‘Go Switch’ website to try to get $3000 payment
A disgruntled website developer is believed to be behind a website hack that occurred on the website of electricity and gas comparison site GoSwitch.
Sep 17, 2015. Renee Thompson, Smart Company
Read more: http://www.smartcompany.com.au/technology/48423-disgruntled-web-developer-hacks-website-to-try-to-get-3000-payment.html

Vodafone asks police to probe unauthorised accessing of reporter’s phone records amid apology
Vodafone Australia says it has reported to police the alleged unauthorised accessing of a Fairfax Media journalist’s phone and text message records in a bid to uncover her sources – a reversal of its original position on the matter.
Sep 15, 2015. Ben Grubb and David Ramli, SMH
Read more: http://www.smh.com.au/national/vodafone-asks-police-to-probe-unauthorised-accessing-of-reporters-phone-records-amid-apology-20150915-gjnabc.html

‘UNSW is drunk’: Facebook page gets hacked on university’s Open Day
UNSW staff had to scramble to contain an embarrassing outbreak of undergraduate humour, after the university’s Facebook page was hacked on its annual open day on Saturday.
Sep 05, 2015. Christopher Harriet Alexander and Eamonn Duff, Brisbane Times
Read more: http://www.brisbanetimes.com.au/nsw/unsw-is-drunk-universitys-facebook-page-gets-hacked-on-its-open-day-20150905-gjfsz2

A junior Defence staffer allegedly took home an intelligence report and posted it online
An Australian spy agency says it has no way of knowing who has obtained a “highly sensitive” report meant for our top allies after it was allegedly leaked by a junior defence bureaucrat on an online forum.
Aug 05, 2015. Christopher Knaus and Michael Inman, SMH
Read more: http://www.smh.com.au/act-news/a-junior-defence-staffer-allegedly-took-home-an-intelligence-report-and-posted-it-online-20150804-gir4rq.html

Sensis publishes hundreds of silent numbers online
Sensis and Telstra are investigating a privacy breach that led to the publication of the unlisted phone numbers and addresses of at least 230 residential and business customers.
Aug 03, 2015. Andrew Sadauskas, itNews
Read more: http://www.itnews.com.au/news/sensis-publishes-hundreds-of-silent-numbers-online-407359

AFP staffer illegally accessed police database to run ‘calculated campaign’ against former partner
A former Russian soldier and Australian Federal Police staff member illegally accessed police data to run a “calculated campaign” against his former partner, a Canberra court has heard.
Aug 03, 2015. Elizabeth Byrne, ABC
Read more: http://www.abc.net.au/news/2015-08-03/afp-staffer-allegedly-used-police-data-to-stalk-former-partner/6669142

Suspected cyber attack forces termination of crucial Qantas pilot vote
A suspected cyber attack has forced the termination of a crucial vote on a new wage deal by Qantas’ long-haul pilots, which the airline wants passed before it will commit to buying a fleet of new planes.
July 14, 2015. Matt O’Sullivan, SMH
Read more: http://www.smh.com.au/business/aviation/suspected-cyber-attack-forces-termination-of-crucial-qantas-pilot-vote-20150713-gib4ho.html

DDoS attack downs iiNet services
iiNet broadband customers in New South Wales had a rough ride over the weekend, facing long service interruptions as their internet provider struggled to mitigate against a large distributed denial of service (DDoS) attack.
July 13, 2015. Juha Saarinen, itNews
Read more: http://www.itnews.com.au/news/ddos-attack-downs-iinet-services-406437

Sussan’s website goes down after security breach
Fashion retailer Sussan took down its own website for six days following “a security incident”.
June 24, 2015.
Eloise Keating, SmartCompany
Read more: http://www.smartcompany.com.au/finance/47401-sussan-s-website-goes-down-after-security-breach.html

UPDATE 1-Australian metal detector company counts cost of Chinese hacking
Metal detection and mining technology firm Codan, who has watched sales and prices of his firm’s metal detectors collapse since Chinese hackers stole its designs three years ago to sell cheap imitations into Africa.
June 24, 2015. Byron Kaye and Jane Wardell, Reuters
Read more: http://www.reuters.com/article/2015/06/25/china-cybersecurity-australia-pix-graphi-idUSL3N0ZB15O20150625

Private health insurer NIB leaks customers’ private details
Private health insurer nib faces tough questions after displaying the personal details of its customers, including mobile numbers, email addresses and claims history, on its website in an accidental breach of confidential information.
June 22, 2015. Tim Binsted, SMH
Read more: http://www.smh.com.au/business/private-health-insurer-nib-leak-customers-private-details-20150622-ghub1g.html

iiNet investigates alleged Westnet data breach
iiNet has said that it is investigating a potential database hack on its subsidiary Westnet that could have seen passwords, email addresses, and other personal information compromised and sold to the highest bidder.
June 8, 2015. Josh Taylor, ZDNet
Read more: http://www.zdnet.com/article/iinet-investigates-alleged-westnet-data-breach/

Woolworths leaks $1 million of gift cards in massive data breach debacle
Grocery giant Woolworths has scrambled to cancel over $1 million worth of shopping vouchers after a massive leak of customer data, in which it mistakenly emailed the redeemable codes of 8000 gift cards containing the customers’ names and email addresses.
May 31, 2015. SMH
Read more: http://www.smh.com.au/digital-life/consumer-security/woolworths-leaks-1-million-of-gift-cards-in-massive-data-breach-debacle-20150530-ghd8wl.html/

‘Islamic State group’ hacks Adelaide welfare agency’s Paper Tracker website to recruit ‘martyrs’
A group claiming to be Islamic State (IS) has hacked a website for an Adelaide-based Aboriginal community program run by welfare agency Uniting Communities.
April 13, 2015. ABC
Read more: http://www.abc.net.au/news/2015-04-13/is-affiliated-group-hacks-adelaide-agency-paper-tracker-website/6390060

Group claims IS message on Hobart International Airport website
A group has claimed responsibility for hacking the Hobart International Airport website and posting a statement supporting the radical Islamist group ISIS, also known as Islamic State or IS.
April 12, 2015. AAP
Read more: https://au.news.yahoo.com/a/27065435/isis-message-on-tas-airport-website/

Linux Australia suffers server breach
Linux Australia has revealed an attack on one of its servers could have provided a “malicious individual” with access to personal member information.
April 7, 2015. Russell Brown, itNews
Read more: http://www.itnews.com.au/News/402398,linux-australia-suffers-server-breach.aspx

Personal details of world leaders accidentally revealed by G20 organisers
The Guardian can reveal an employee of the agency inadvertently sent the passport numbers, visa details and other personal identifiers of all world leaders attending the summit to the organisers of the Asian Cup football tournament.
March 30, 2015. Paul Farrell, The Guardian
Read more: http://www.theguardian.com/world/2015/mar/30/personal-details-of-world-leaders-accidentally-revealed-by-g20-organisers

Optus rapped for three privacy breaches
Optus has committed to undertake an independent review of its information security systems after Australian Privacy Commissioner Timothy Pilgrim investigated three separate security incidents.
March 27, 2015. Josh Taylor, ZDNet
Read more: http://www.zdnet.com/article/optus-rapped-for-modem-vulnerabilities/

Hackers breach NSW GovDC website
Hackers have broken into parts of the New South Wales government’s GovDC website, obtaining access to the administrative pages for its content management system.
March 25, 2015. Juha Saarinen, iTNews
Read more: http://www.itnews.com.au/News/402037,hackers-breach-nsw-govdc-website.aspx

Australian banks fall victim to multi-national hacking attack: cyber-security firm
Australian banks are among about 100 from around the world that have fallen victim to an unprecedented hacking attack, an international cyber-security company says.
February 17, 2015. Josh Bavas, ABC
Read more: http://www.abc.net.au/news/2015-02-17/banks-victim-of-multi-national-hacking-attack-security-firm-says/6130370

Atlassian says HipChat hacked.
Australian productivity firm Atlassian has been the victim of a malicious hacking attack, with hackers targetting the passwords and personal data of its HipChat messaging application..
February 03, 2015. David Swan, THe Daily Telegraph
Read more: http://www.dailytelegraph.com.au/business/breaking-news/atlassian-says-hipchat-hacked/story-fnn9c0gv-1227206107871?nk=f4bf62ca535d696b41342e26d2508ad5

Aussie Travel Cover has hundreds of thousands of records stolen in hacking, policy holders not informed.
One of the country’s largest travel insurance companies opted not to tell customers about a hacking that saw potentially hundreds of thousands of Australians’ personal information stolen and parts of its customer database posted online.
January 19, 2015. Will Ockenden and Benjamin Sveen, ABC PM
Read more: http://www.abc.net.au/news/2015-01-19/aussie-travel-cover-hacked-customers-not-told/6025652

Australia’s largest Arabic newspaper has revealed it came under hacker attack by purported jihadists.
The newspaper’s website manager, who did not wish to be named for security reasons, told Daily Mail Australia he was alarmed to wake up to the hacking.
January 13, 2015. Naomi Tsvirko, Daily Mail Australia
Read more: http://www.dailymail.co.uk/news/article-2907729/I-know-live-know-Australian-newspaper-reveals-chilling-text-threats-Islamic-State-hacker-attack-page-replaced-jihadist-flag-haunting-prayer-music.html

Bundaberg Library Web Site Hacked by “Free Syrian Army”
The message displayed on the Bundaberg Regional Library’s website yesterday suggested that the hacker wants to bring attention to the suffering of Syrian people.
January 11, 2015. Courier Mail
From: http://www.couriermail.com.au/news/queensland/bundaberg-library-website-hacked-by-people-claiming-to-be-from-free-syrian-people/story-fnn8dlfs-1227181518953

Hackers hit website of Tasmanian Police Minister Rene Hidding.
The renehiddingmp.com site has spam adverts for 14 types of prescription medication.
January 3, 2015. ABC News
Read more: http://www.abc.net.au/news/2015-01-03/rene-hidding-mp-website-hacked/5998456