A cyber attack has targeted a technology group which provides services to government departments, with hackers now believed to hold stolen data.
- PNORS Technology Group says its two impacted businesses service “a number of external clients, including government departments”
- The company says hackers have revealed a sample “of what is believed to be stolen data”
- The Victorian government says it is investigating whether its data has been exposed in the breach
PNORS Technology Group owns five companies which provide a range of technology services to more than 1,000 clients.
The company confirmed on Saturday that two of its businesses, Datatime and Netway, were the target of a cyber attack on November 3.
“The impacted PNORS Technology Group businesses deal with document and data capture, digital conversion and managed IT support for a number of external clients, including government departments,” PNORS chief executive Paul Gallo said.
“Initial investigations by cyber security experts indicated this incident was limited to systems being encrypted and locked.
“However, overnight the criminals behind the cyber attack released to the company in a private communication a sample of what is believed to be stolen data.”
The Victorian Department of Premier and Cabinet (DPC) said it was determining whether data held by the state had been exposed in the breach.
A DPC spokesperson said the government was “continuing to provide support to PNORS Technology Group to determine the extent of the information breach and to prevent further incidents”.
PNORS said it immediately notified affected clients on November 3, contacted state and federal police and engaged external cybersecurity experts.
The Office of Australian Information Commissioner has been notified.
“The extent of the data breach is still being investigated and we are working closely with all authorities to assess how many of our clients have been impacted and the nature of the data that has been stolen,” Mr Gallo said in a statement.
“When we were informed about the cyber attack we immediately shut down and isolated all our internal systems and took further measures to secure our network and data, along with pausing all data processing.”
The Victorian DPC spokesperson said the Victorian Government’s Cyber Incident Response Service had been notified.
“Protecting Victorian data and systems is our highest priority,” the DPC spokesperson said in a statement.
“If it is determined that Victorian government data has been exposed as a result of this breach, departments will notify impacted individuals and provide advice on steps they can take to minimise any risk.”
It is the latest in a string of data breaches at high-profile targets, starting with telco Optus in late September.
Australia’s data breach notification laws require companies with an annual turnover of $3 million or more to notify the privacy commissioner about exposed customer data, so it is possible smaller companies have been exposed without making it public.
A security expert last month warned “a decade of anti-security policy” had left Australia open for attacks.
Another this week warned hackers would now see Australia as “a soft target” in light of the recent breaches.
Attorney-General Mark Dreyfus last week introduced a bill to amend the Privacy Act to the penalty for large data breaches to a minimum of $50 million.
The current maximum penalty for serious or repeated breaches of privacy is about $2 million.