In what might be the first report made under the new mandatory data breach laws an Australian shipping company has revealed that tens of thousands of it's emails were auto-forwarded without permission.
We have seen this a number of times where a person's email becomes compromised and the attacker sets up an auto-forward rule so that they can monitor the victims emails without alerting the victim to what is happening. The information that they learn from this eavesdropping is then used in a future extortion attempt.
The story below courtesy of abc.net.au :
The shipping company Svitzer has suffered a significant data breach affecting almost half its Australian employees.
It is among the first incidents to be disclosed under Australia's new notifiable data breaches scheme.
For almost 11 months, emails from three Australian employee email accounts were secretly auto-forwarded outside the company. The perpetrator has not yet been identified.
The hack, which began May 27 last year, affected accounts in finance, payroll and operations.
Svitzer's head of communications, Nicole Holyer, said the company stopped the email theft after being alerted on March 1 this year.
Forensic IT experts have been called in to investigate.
The sensitive personal information of around 500 employees was affected. Svitzer employs about 1,000 people in Australia.
Lost details may have included tax file numbers, superannuation account numbers and the names of next of kin.
Staff are being informed of the breach today.
"Our absolute priority is our employees. We are offering the highest levels of support to those affected," Steffen Risager, managing director of Svitzer Australia, said in a statement.
About 50,000 to 60,000 emails may have been forwarded outside the company, Ms Holyer said.
The investigation is still ongoing, however, and the company is determining the scope of the hack.
"Svitzer's IT help desk received a call from an employee about a suspicious email rejection notice from an external email account," Ms Holyer said.
"We then identified, after an investigation, that an email rule had been created on three Svitzer Australia employee accounts to automatically forward emails to two external email accounts."
Ms Holyer said the perpetrator also introduced supporting rules to delete the forwarded emails.
The compromised email account owners couldn't see that their emails were being forwarded.
The perpetrator of the data breach has not yet been identified.
"We've ruled out that it was someone internally," Ms Holyer said.
As part of its investigation, the company also served a court order today to the company that hosted the external email addresses to grant investigators access.
Ms Holyer could not name the email provider, but clarified that it was one that many people used.
Svitzer, which is part of the Danish shipping conglomerate Maersk Group, employs about 4,000 people globally.
In June 2017, Maersk's IT systems were infected by the NotPetya ransomware as part of the global cyberattack.
Svitzer incident not typical
Security analyst Troy Hunt, who runs the website Have I Been Pwned?, which allows people to search whether their personal details have been lost in a data breach, said the Svitzer situation was not a typical one.
"Most of the data breaches that I deal with … are malicious attacks against systems where large volumes of data are taken," he said.
"We're sometimes talking hundreds of millions of records in one go."
In this case, the exfiltration appears to have occurred record by record.
"It is a little bit unusual to see information filtered out this way," Mr Hunt added.
"One of the interesting things here is that many organisations configure their mail environment such that you cannot forward automatically to external addresses precisely because of things like this."
Under Australia's notifiable data breaches scheme, which went into effect in February, companies must disclose such incidents to the Office of the Australian Information Commissioner.
Companies or government agencies must reveal a breach if the data includes personal information that is likely to result in serious harm.
Ms Holyer said the OAIC was informed today.
There were 15 days between the breach being discovered and disclosed to the OAIC, and Mr Hunt said this is one of the gripes he has with the new scheme.
Companies generally have a maximum of 30 days to conduct an assessment once a breach is discovered.
In May, Europe is implementing data breach rules in the General Data Protection Regulation, he pointed out.
"That prescribes 72 hours [that companies have until disclosure to the supervising authority]. That is a tenfold difference."
An OAIC spokesperson confirmed Svitzer provided a data breach notice today.
"The OAIC will assess the information in the notification and decide if any further action is required," she said.