Cloud Hosting

The personal details of job applicants and staff at a range of major Australian companies and government agencies have potentially been exposed in a "significant"data breach and extortion attempt against Australian recruitment company Finite.

Hackers have accessed and releasedsensitive data that includes resumes, offers of employment, contracts,timesheets and vaccine certificates, with the likely goal of extracting a ransom.

Finite has a long list of major Australian clients, including Coles, Westpac, AMPand the departments of Defence, Health and Home Affairs.

Conti the same hacking group responsible for the data breach affecting up to 80,000 South Australian government employees disclosed last weekhas so far released more than 12,000 files and is threatening to publish more.

A notice posted on the hacking group's website, designed to extract a ransom payment, claims more than 300 gigabytes of data has been stolen, including financials, contracts, customer databases, phone numbers, addresses, passports and a variety of other sensitive personal information.

Finite Recruitment said in a statement sent to the ABC that the data "relates to a one-off cyber incident that occurred back in October", adding that the incident was still being investigated and affected parties would be notified when the investigation concluded.

"We are aware that a small subset of Finite Group's data has been downloaded and published on the dark web," the statement said.

An Australian Cyber Security Centre profile of the hacking group notes that "leaked information is hosted on The Onion Router (TOR) network, enabling greater anonymity to Conti threat actors hosting illicitly obtained material".

However, the group appears to have more recently been posting leaked data on a regular website available to all internet users. The ABC was able to view and access leaked files using a standard web browser.

The data already released includes the personal details of Australians who have sought employment through the firm, including resumes, salary information, reference checks, criminal history checks and visa checks.

A long list of businesses, banks and government agencies were caught up in the leak by way of their ties with Finite, including Westpac, ME Bank, Coles, Adairs, AMP, Suez Australia, NBN Coand the departments of Defence, Home Affairs and Health.

Some of Finite Recruitment's clients contacted by the ABC said they were aware of the leak, while others had not been notified.

A federal health spokesperson saidthe department useda range of hire firms, including Finite Group APAC Pty Ltd, but didnot share "any sensitive or classified data" with those providers.

"The department has not received any correspondence from Finite Group APAC Pty Ltd regarding any security breach or data loss," aspokesperson said.

Coles which has a service agreement with Finite Recruitment and was listed in the leaked documents said it was conducting its own investigations into the breach.

"We have engaged directly with Finite to understand what steps they are taking to investigate the incident and to secure their systems, and to assess any impact to Coles contractors or team members," a Coles spokesperson said.

Australian National University which was also listed in the breach said in a statement that it had not been informed of this data breach, but added there was nothing to suggest its systems were currently under threat.

The ABC also contacted the departments of Defence and Home Affairs, but neither wasable to respond in time for publication. The ABC also reached out to Downer, IBM, AMP, Hostplusand the Australian Cyber Security Centre for comment.

Conti is a Russian-based criminal organisation behind ransomware technologies. In short, they're after money.

Canberra-based cyber security researcher Robert Potter saysConti is a highly professionalised hacking group which uses a variety of well-known tools to gain access to its target'snetworks before stealing data and seeking a ransom.

Ransomware attacks work by encrypting victims' data, rendering it inaccessible. Groups will then offer to sell the victim a decryption key to re-access that data.

If the victim doesn't give in to the attackers' demands, they can permanently lose access to the data.

Conti affiliates are also known to use a technique known as "double-extortion",which involves threatening to release the stolen data unless payment is made.

Mr Potter saidthe group was becoming more brazen and was quite open about who they havetargeted in recent times.

He saidConti was increasinglyideological, sometimes using Russian foreign policy talking points, suggesting this might be a tactic to appeal to the people who provide them protection.

"Conti are doing a roaring trade, they're not subtle," Mr Pottersaid.

Conti attacks have made headlines before for targeting high-profile organisations, demanding large amounts of money asransom in exchange for agreeing not to publish full data leaks.

ProDraft a cyber security and intelligence company that monitors incidents of potential cybercrime said,that since 2020, it hadseen data from 567 different companies shared on Conti's extortion site. ProDraft also says its teams have noticed a recent surge in Conti attacks.

"Conti has shown itself to be a particularly ruthless group, indiscriminately targeting hospitals, emergency service providersand police dispatchers," the report said.

Conti is also offered as a Ransomware-as-a-Service (RaaS). This allows affiliates to use the ransomware as they want, as long as a percentage of the ransom payment is shared with the Conti operators as commission.

Research carried out by ProDraft found that, since July 2021, Conti has received more than500 bitcoin in ransomware payments which, at the time of writing, was worth $32.8 million.

According to Mr Potter, Conti is sophisticated enough that they take an "almost actuarial approach"to determining ransom amounts, even targeting a dollar value close to what they think an organisation's insurance will cover.

Mr Potter saidmost Australian organisations hit by ransomware attacks did notpay up, which isthe right move.

However, he wasaware of at least one large ransom payment from an Australian-based organisation targeted by Conti.

Read more:
Coles, Westpac, AMP and Department of Defence caught up in 'significant' data breach of Finite Recruitment - ABC News