Australian Firm Costa Group Suffers Phishing AttackPhishing Incident Caused Service Disruptions and Delays
Australian fruit and vegetable supplier Costa Group says it was subjected to a malicious and sophisticated phishing attack in August that resulted in unauthorized access to its servers.
The company, which is listed on the Australian Securities Exchange, on Thursday in a data breach notification said that the attack occurred on Aug. 21, 2022, and after investigating with external IT security consultants the company found that "access to data was confined to a single server at the Costa Corindi site."
The server holds data for workers in the berry category, and only approximately 10% of the data on the Corindi file server was accessed, it says.
The company says it has notified relevant authorities about the attack, including the Australian Cyber Security Center and the Office of the Australian Information Commissioner.
The company has not provided details on the number of users affected or size of the file data that was accessed. But it says the sensitive information may include workers' passport details, bank details, superannuation details and tax file numbers.
The company is supposed to notify the Office of the Australian Information Commissioner within 30 days under the notifiable data breaches law, but the company had not yet provided a timeline on when the breach was discovered.
Costa Group interim CEO Harry Debney in a statement says that this is a malicious attack that was sophisticated in its execution.
"Our first concern is for the impact this may have on our current and former employees. With this firmly in mind, we continue to do everything we can to minimize any adverse consequences and to strengthen our cybersecurity protections," Debney says.
He also says that no core business applications were accessed, nor was any customer or supplier data comprised by the attack.
A spokesperson for Costa was not immediately available to provide more details.
Costa operates in more than 30 rural and regional communities across Australia, China and Morocco, according to its website.
The attack led to an investigation causing a delay in operations and required manual workarounds at certain sites, further delaying deliveries, the company says.
The company notification says that the impact largely has subsided, and it has restored the majority of its network and systems.
It further claims that there was no loss of data and no material impact to operations or earnings.
The data breach affects employees directly hired by Costa's berry category since 2013 or provided by the labor-hire organizations since 2019.
The notification also says the company cannot verify what specific data is included in the 10% of data that was accessed because the hacker encrypted their downloads. But it says much of the information that was stored on the server is not personal information.
"There is a risk that personal sensitive information of workers on Costa's Australian berry farms may have been accessed. To date, there is no evidence that any personal information has been leaked or uploaded to any sites," the company says.
Costa says it has taken additional steps to protect against any further malicious attacks, including limiting traffic to servers, increasing the level of endpoint protection and scheduling employee training relating to phishing and social engineering practices.
The company also says it is monitoring the dark web to detect if any information from the server has been posted and confirmed that it has not yet identified the publication of any such information.
"We recommend that people who may be affected take precautionary measures to reduce the risk of their data being used unlawfully," the notification says.