Firstmac mortgage lender suffers hack, customer credit card details published on dark web

The company said it had engaged IDCARE, Australia’s national identity and cyber support community service, to help its customers.

Loading

“IDCARE’s services are available to impacted customers at no cost and their expert Case Managers can help address our customers’ concerns about potential misuse of their personal information.

“Our systems are running as normal, we remain fully operational, and our business operations have not been impacted by this cyber incident. There is no evidence of any impact to customers’ accounts and our customers’ funds are safe.”

The breach is the latest cybersecurity incident to affect a high-profile Australian organisation, with cyberattacks on the rise.

According to the Australian Signals Directorate, a federal government agency responsible for information security, more than 127,000 hacks against Australian servers were recorded in the 2022-23 financial year, an increase of more than 300 per cent on the year-earlier period.

Late last year, researchers discovered a data breach impacting Melbourne travel agency Inspiring Vacations, in which a non-password protected database containing about 112,000 records totalling 26.8 gigabytes of data was leaked online.

Tens of millions of Australians have been caught up in recent security breaches, including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World and Dymocks, in what is being dubbed a “new normal” of consistent attacks and leaks.

The Optus breach, in particular, led to new legislation significantly increasing penalties for serious or repeated breaches of customer data. Organisations that fail to adequately protect peoples’ data face fines of $50 million or more.

“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” Attorney-General Mark Dreyfus said when introducing the legislation.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”

Loading

Australia late last year dropped plans to ban companies from making ransomware payments, instead opting to introduce mandatory reporting obligations.

Recent research from IT firm Cohesity found that 92 per cent of Australian IT executives said their company would pay a ransom to recover data and restore business processes, while 6 per cent said “maybe, depending on the ransom amount”.

Almost two in three said their company would be willing to pay more than $US3 million to recover data and restore business processes, with 27 per cent of respondents saying their company would be willing to pay over $US5 million.

“Every time a ransom is paid, we are feeding the cybercrime problem,” Cybersecurity Minister Clare O’Neil said in November.

“Now, we are in a situation in our country where it is clearly not the right time at this moment to ban ransoms, and that’s because we haven’t done the hard work.”

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.