The Australian arm of Danish shipping company Svitzer, part of the Maersk Group, suffered a significant data breach last year, running through to Q1 this year, which affected almost half its 1,000 Australian employees and an eighth of its total staff.
The hack was one of the first incidents to be disclosed under Australia’s new notifiable data breaches scheme.
Emails from three Australian employee email accounts were secretly auto-forwarded to outside the company. The perpetrator has not yet been identified. The hack began on May 27th 2017 and affected accounts in finance, payroll and operations.
Svitzer Australia head of communications Nicole Holyer said that the company stopped the email theft after being alerted on March 1st this year. Forensic IT experts were now investigating. Personal information on around 500 employees was leaked. Svitzer employs about 1,000 people in Australia. Holyer said that between 50,000 and 60,000 emails could have been forwarded outside the company, although the investigation was ongoing and the scope of the attack had not yet been established conclusively.
Lost details may have included tax file numbers, superannuation account numbers and the names of next of kin.
Svitzer Australia managing director Steffen Risager said that “our absolute priority is our employees. We are offering the highest levels of support to those affected”.
“Svitzer’s IT help desk received a call from an employee about a suspicious email rejection notice from an external email account,” Holyer said. “We then identified, after an investigation, that an email rule had been created on three Svitzer Australia employee accounts to automatically forward emails to two external email accounts.” Holyer said the perpetrator also introduced supporting rules to delete the forwarded emails.
The compromised email account owners could not see that their emails were being forwarded. Holyer said that the company had ruled out that the breach was caused by someone internally.
The company has served a court order to the company that hosted the external email addresses to grant access to investigators access.
Svitzer employs about 4,000 people globally. The attack was not related to last year’s NotPetya attack on Maersk Group.
Australia’s notifiable data breaches scheme, which went into effect in February, mandates companies to disclose such incidents to the Office of the Australian Information Commissioner. Companies or government agencies must reveal a breach if the data includes personal information that is likely to result in serious harm. Companies normally have up to 30 days to conduct an assessment once a breach is discovered.