The non-bank mortgage lender Firstmac has been hit by a cyberattack, resulting in the theft and publication of customer details such as credit card numbers, passport numbers, Medicare numbers, and driver’s licence details on the dark web.
Firstmac, a major non-bank lender based in Brisbane, informed its customers via a letter that an unauthorized party had breached its IT systems. The company stated, “Our ongoing investigation has found evidence that some personal information of our customers has been accessed.”
Firstmac assured affected individuals that they were being notified directly and advised on steps to protect themselves from scams or phishing attempts, in accordance with regulatory requirements. The firm also mentioned that relevant authorities had been informed and were being kept updated on the investigation’s progress.
The technology publication Cyberdaily reported that the hackers responsible for the attack had posted a significant amount of data on the dark web. The ransomware group EMBARGO claimed responsibility for the hack, which occurred in April, and had set a ransom deadline of May 8. Cyberdaily provided screenshots from EMBARGO’s website showing customer addresses, financial details, and email addresses, as well as the contact details of several Firstmac executives and IT team members.
The extent of the breach in terms of affected customers and employees remains unclear. Firstmac was contacted for additional comments on the situation.
Firstmac announced that it had enlisted IDCARE, Australia’s national identity and cyber support service, to assist customers. IDCARE’s services are available at no cost to affected individuals, with expert Case Managers ready to address concerns about the potential misuse of personal information.
The company emphasized that its systems were functioning normally, operations were unaffected, and customer funds were secure. They stated there was no evidence of any impact on customer accounts.
This incident is part of a growing trend of cyberattacks on high-profile Australian organizations. According to the Australian Signals Directorate, over 127,000 hacks against Australian servers were recorded in the 2022-23 financial year, marking a 300% increase from the previous year.
Last year, a data breach at Melbourne travel agency Inspiring Vacations exposed about 112,000 records, totaling 26.8 gigabytes of data, due to a non-password protected database. This breach adds to a list of incidents affecting companies such as Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks, reflecting a “new normal” of frequent attacks and data leaks.
The Optus breach, in particular, led to new legislation imposing stricter penalties for serious or repeated customer data breaches. Companies failing to protect data now face fines exceeding $50 million.
Attorney-General Mark Dreyfus emphasized the need for robust data protection, stating, “When Australians are asked to hand over their personal data they have a right to expect it will be protected,” and noted that recent significant breaches demonstrated the inadequacy of existing safeguards.
Australia recently abandoned plans to ban ransomware payments, instead opting for mandatory reporting obligations. Research by IT firm Cohesity found that 92% of Australian IT executives would pay a ransom to recover data and restore business processes, with a significant number willing to pay over $US3 million, and some over $US5 million.
Cybersecurity Minister Clare O’Neil highlighted the issues with paying ransoms, stating, “Every time a ransom is paid, we are feeding the cybercrime problem,” and stressed the need for more foundational work before considering a ban on ransom payments.
