Skip links

Ransomwared payroll provider leaks data on 38,000 Australian government workers

Personal information describing names, addresses, bank account details, and taxation IDs of 38,000 Australian government employees has been leaked to the dark web after a ransomware attack.

The treasurer of the Australian State of South Australia, Rob Lucas, today revealed the source of the leak: outsourced payroll provider Frontier Software.

Frontier had previously advised that the attack had been deflected and customer data was safe. On November 16, the company admitted it was “experiencing a cyber incident which has resulted in limited access to some of our computer systems and data”. The next day, Frontier advised customers that service had been restored and that its investigations “show no evidence of any customer data being exfiltrated or stolen”. Customers were told that some data was encrypted, but it was nothing to worry about as “Australian customer HR & Payroll data and systems are segmented from the corporate systems and were not compromised”.

That initial assessment was wrong. On December 9, Frontier admitted “some data exfiltration” occurred and “a small number of Frontier Software customers” were whacked.

One of those clients was the State Government of South Australia.

Treasurer Lucas said the number of staff whose personal data had been leaked was somewhere between 38,000 and 80,000.

Names, addresses, salaries, birthdays, and bank account details were all accessed. Tax File Numbers – an identifier used widely in Australian life to prove identity for chores such as obtaining a passport – were also accessed.

Lucass’s announcement states that all impacted staff have been informed, but he nonetheless warned all to contact their banks, change passwords, adopt 2FA, and watch for suspicious transactions.

With at least 38,000 records out there, this incident will have a significant blast radius. One small upside is that, while Frontier Software operates outside Australia, it appears only Australian data was accessed.

On the downside, the incident shows your security is only ever as strong as your suppliers’. ®