Another vendor hack compromises sensitive information
An attack on a documents storage service has resulted in the leak of sensitive information of victims of family violence and sexual assault who had been treated at Monash Health, the public health service in Victoria. The attack also compromised the personal information of current and former students at Melbourne Polytechnic as well as other clients of the records management and storage firm.
The breach was first disclosed publicly in February after the threat actors posted something on the dark web, but details are first emerging now. Not all affected clients of ZircoDATA have issued statements. Australia’s National Cyber Security Coordinator posted a statement on X (formerly Twitter) yesterday that stated:
Monash Health has disclosed that a selection of its archived data, including very sensitive data from family violence and sexual assault support units dating from 1970 to 1993, has been exposed by the breach. This is a distressing development for those who have, or believe they may have, been impacted by this exposure. In particular, I want to acknowledge the impact this news will have on affected victim-survivors who had been supported by Monash Health’s services. We continue to work with our Victorian counterparts to ensure this group has as much support in place as possible.
Monash Health posted a notice on its site about the incident and has set up a dedicated webpage on the breach. According to The Age, about 4,000 of those affected were from the family violence and sexual assault support units.
The group responsible for the attack, BlackBasta, has leaked data on the dark web and claims that they had acquired 395 GB of files from ZircoDATA that include:
1. Finance
2. IT
3. Public
4. RM / RMCorp
5. Personal users folders
6. Confidentiality & Non-Disclosure
and etc…
Their leak site post does not specifically mention Monash Health or provide a full list of ZircoDATA clients affected. BlackBasta does not make any claims about how much money they may have demanded not to leak the data, and does not mention whether ZircoDATA attempted to negotiate with them at all.
Much is unknown at this time, including how the attackers gained access and whether ZircoDATA was supposed to encrypt data at rest or whether security was up to the client.