Section updated: 06/07/2021
Introduction
As we reported on our website in September last year (here, here and here), Anglicare became aware in late August 2020 of a cyber incident in which our computer network was the subject of a ransomware attack by cyber criminals.
Our investigations have now concluded.
In short, we have established that the incident resulted in unauthorised access to two of our file servers. However, while our forensic investigations found some evidence of information being exfiltrated (i.e. stolen or taken from our systems), we were unable to find definitive proof as to what information, if any, was in fact exfiltrated or otherwise viewed.
Nevertheless, out of an abundance of caution, and to minimise any possible risk of harm, we have written to potentially affected individuals for whom we have contact details, to inform them of the incident, to let them know what steps we have taken, and what further steps we recommend they take with our assistance.
The purpose of this notice is to more broadly inform the community of the incident including bringing the incident to the attention of potentially impacted individuals who we have not been able to contact.
Background
In late August 2020, Anglicare's computer network was the subject of a ransomware attack by cyber criminals. As soon as we became aware of this attack, we took our impacted systems offline, satisfied ourselves (with the help of experts) that there was no longer any ongoing threat, and then started to remediate and restore our systems.
After a detailed investigation, including by external forensic investigators, it was found that there had been unauthorised access to seven of Anglicare's computer servers, including two file servers that contained personal information.
Since then, we and our experts have undertaken a thorough review of all the information held on those two file servers. That data was 'unstructured', making the task a complex one. It has therefore taken some time to determine the kinds of information held and the individuals potentially impacted.
Ultimately, we were unable to find definitive proof as to any particular information being accessed or taken. Pleasingly, despite our regular monitoring online, we have not seen evidence of any data being leaked.
Steps taken in response
Despite the inconclusive evidence, out of an abundance of caution, and to minimise any potential harm, we have written to potentially impacted individuals for whom we have contact details to inform them of the incident, to let them know what steps we have taken, and what further steps we recommend they take with our assistance.
We have also formally reported the incident to the Office of the Australian Information Commissioner, as well as the Australian Cyber Security Centre and the NSW Police Force (Cybercrime Squad reference E75817938).
We have sought to use the incident as an opportunity to continue to improve and strengthen our information and network security. We are doing everything reasonably possible, going forward, to protect information relating to our staff, clients, customers, residents and other stakeholders.
Have I been impacted?
If you are concerned that you may have been affected by this incident but you have not yet been contacted by us, or if you need more detail about the incident, we have set up a support line for you to contact: 1300 111 278 or [email protected].
Our support line staff will be able to tell you whether or not you are impacted by the incident and, if you are, point you in the right direction for further assistance.
We have also updated our FAQ page, which can be accessed here.
Section updated: 28/10/2020
Anglicare Sydney updates you into the recent cyber-attack on Anglicare’ security and data systems.
Significant progress has been made since our last update in September. Two separate sets of expert teams have undertaken forensic work and are nearing the end of their investigations. They have confirmed there is no ongoing threat or unauthorised access to our systems. They have also been able to narrow the focus of the investigation by ruling out certain systems which were not affected.
The next stage of the investigation is determining what information may have been impacted. The complexity of this work means it will take a number of weeks, for which we have engaged a specialist third party to undertake a detailed analysis of potentially impacted data.
While we work to finalise the investigations, we encourage everyone to continue good cyber security practices, including being cautious of telephone or email scams and not giving out personal information to people you don’t know as a precaution.
Section updated: 15/09/2020
In the interests of keeping all our stakeholders informed, Anglicare provides the following update on the security systems breach we announced on 2 September 2020.
As noted in our previous announcement, on Monday 31 August at 1.00am, a cyber security incident was first detected. This involved a ransomware attack targeting a range of Anglicare’s information systems and servers. We are aware that a number of other organisations across NSW and Australia have also recently been subject to similar cyber-attacks.
Anglicare took immediate steps to isolate and block the unauthorised access to our systems. We quickly notified relevant State and Federal authorities and are continuing to work closely with external partners including cyber security experts to restore our systems. We have also increased cyber security measures across the organisation. A detailed investigation into the incident, including forensic investigations to clearly identify what information may have been accessed, has been initiated.
At this time, it remains unclear whether or not any personal information has been accessed and we are working to determine this as quickly as possible. In the event that we determine personal information has, or is likely to have been, accessed, we will inform affected individuals in accordance with our commitment to privacy and other obligations to clients, staff and other stakeholders.
To keep informed about the latest scams, visit www.scamwatch.gov.au. For facts sheets and information to help prepare, prevent, detect and respond to cyber related issues, visit www.idcare.org/learning-centre. For advice and information about how to protect you, your family and your business online visit www.cyber.gov.au.
If you do have specific questions about this incident, please contact [email protected].
We will provide more detailed information following these investigations and update the website accordingly.
Statement from Anglicare Sydney - 2 September 2020
Statement from Anglicare Sydney - 19 September 2020
In late August 2020, Anglicare's computer network was the subject of a ransomware attack by cyber criminals.
As soon as we became aware of this attack, we took our impacted systems offline, satisfied ourselves (with the help of experts) that there was no longer any ongoing threat, and then started to remediate and restore our systems.
After a detailed investigation, including by external forensic investigators, it was found that there had been unauthorised access to seven of Anglicare's computer servers, including two file servers that contained personal information.
Since then, we and our experts have undertaken a thorough review of all the information which was held on those two file servers. The data was 'unstructured', making the task a complex one. It has therefore taken some time to determine the kinds of information held and the individuals potentially impacted.
Ultimately, we were unable to find definitive proof as to any particular information being accessed or taken. Pleasingly, despite our regular monitoring online, we have not seen evidence of any data being leaked.
We have, since September 2020, been in dialogue with the Office of the Australian Information Commissioner (OAIC) about this incident and have also provided them with a formal regulatory notification.
We also contacted the Australian Cyber Security Centre to inform them of the incident as soon as it occurred, and have reported the incident to the NSW Police Force.
It is believed that the cyber criminals first gained access to the Anglicare network on 29 August 2020. Anglicare became aware of the incident on 31 August 2020.
Anglicare understands that the last evidence of malicious activity was during the period 10 to 14 September 2020. By 17 September 2020, there were no threat actors within the Anglicare network and there was no ongoing threat.
As the data held on the two file servers was 'unstructured', there is potential that the cyber criminals were unable to make any access to actual personal information. Accordingly, for privacy reasons and to reduce the risk of attempts by scammers to target impacted individuals, we are not publicly releasing details of the information stored on the servers which may have been the subject of unauthorised access.
We have written to potentially affected individuals for whom we have contact details to inform them of the incident, to let them know what steps we have taken, and what further steps we recommend they take with our assistance.
If you think you may have been affected by the incident but have not yet been contacted by us, or if you would like further information, please get in contact via 1300 111 278 or [email protected].
Anglicare's operations touch on a broad range of services for the community. Accordingly, Anglicare necessarily possesses some personal information of individuals. The types of personal information that Anglicare collects, and how we collect, handle and use that information, is documented within our Privacy Policy here.
Those responsible were not identified in our forensic investigations. The NSW Police Force, Australian Cyber Security Centre and Office of the Australian Information Commissioner have been notified and are aware of the incident.
Out of an abundance of caution, and to minimise any possible risk of harm, we have already written to potentially affected individuals for whom we have contact details to inform them of the incident, to let them know what steps we have taken, and what further steps we recommend they take with our assistance.
If you have a current or past relationship with Anglicare and think you may have been affected by the incident but have not yet been contacted by us, or if you would like further information, please get in contact via 1300 111 278 or [email protected].
Our support line staff will be able to tell you whether or not you are impacted by the incident and, if you are, point you in the right direction for further assistance.
On 2 September 2020 (here) and 19 September 2020 (here and here), Anglicare provided general notice of the incident.
Since that time, potentially impacted individuals have been contacted directly.
If you think you may have been affected by the incident but have not yet been contacted by us, or if you would like further information, please get in contact via 1300 111 278 or [email protected].
We have written to potentially affected individuals for whom we have contact details.
However, we may have not been able get in contact with some individuals.
If you have not received an email from us, please check your email account’s spam folder as a precaution.
Otherwise, if you think you may have been affected by the incident but have not yet been contacted by us, or if you would like further information, please get in contact via 1300 111 278 or [email protected].
As we have said above, if you need more detail about the incident, whether your information was impacted or what you should do if you were impacted,, or have other queries, Anglicare suggests that you contact us directly, either on 1300 111 278 or [email protected].
Contact your financial institution(s)
Anglicare also suggests that you get in touch with your relevant financial institution(s) to get advice on:
General Awareness
Otherwise, we recommend you remain alert to the common ways in which information can be mis-used.
Anyone potentially affected by this incident should be vigilant to potential phishing scams (emails fraudulently seeking personal information), telephone scams (calls and text messages fraudulently seeking personal information) and identity theft (the use of personal information to create a fake identity to apply for services). These recommendations are in line with safety and cyber security measures recommended in everyday online engagement.
Scammers can seem quite believable and impersonate government, police and businesses, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.
More information on online safety, cyber security and helpful tips on how you can protect yourself and respond to ransomware attacks, scams, identity theft, and others, can be found at the following government agency websites:
Australians are subjected to scam calls on a frequent basis using an array of data available from our social media accounts and many other places. www.scamwatch.gov.au publishes information on its website about the most current scams impacting the community. If you believe that scam activity you have experienced relates to this incident, please contact our support line on 1300 111 278.
Anglicare takes the privacy and security of the personal information it possess extremely seriously and we have taken steps to try to prevent any similar incidents happening again.
We have conducted an investigation into how the breach occurred, we have audited our security measures and IT policies and implemented additional measures, we have consulted with data security experts and we have alerted government agencies including the NSW Police Force and the Office of the Australian Information Commissioner.
We will continue to take all necessary measures to safeguard against any similar incidents occurring in the future.