Costa has been subjected to a malicious and sophisticated IT phishing attack.
The attack occurred on 21st August 2022 and an intensive recovery and detailed review in conjunction with external IT security consultants of the incident commenced from this date.
As a result of this we have now established that access to data was confined to a single server at the Costa Corindi (NSW) site, which holds data for the berry category, and that only approximately 10% of the data on the Corindi file server was accessed.
These protective actions slowed operations, requiring the use of manual workarounds at certain sites and delayed some deliveries. The impacts have largely subsided as we have restored the majority of our network and systems and there was no loss of data, and no material impact to operations, or earnings.
Although only approximately 10% of the data on the file server was accessed it is not clear what specific data was accessed due to the hacker encrypting their downloads.
Much of the information that was stored on the server is not personal information, however there is a risk that personal sensitive information of workers on Costa’s Australian berry farms may have been accessed. To date, there is no evidence that any personal information has been leaked or uploaded to any sites.
This includes employees directly hired by Costa’s berry category since 2013 or provided by labour hire organisations since 2019.
This sensitive information may include the following:
- Passport details
- Birth Certificate
- Travel documents
- Australian Citizenship Certificate
- Bank details
- Superannuation details
- Tax File Numbers (TFN)
This information was collected in the first instance to satisfy certain laws relating to the employment of citizens and non-citizens and has been retained as per relevant record retention requirements.
Costa has notified the relevant authorities of this attack, including the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
Costa has taken steps to protect against any further malicious attack, including limiting traffic to servers, increasing the level of end point protection and scheduling additional employee training relating to phishing and social engineering practices.
To minimise impact to individuals from the attack, we have been and continue to conduct continuous monitoring of the dark web to detect if any information from the server has been posted.
We can confirm to date, that we have not identified the publication of any such information.
We recommend that people who may be affected take precautionary measures to reduce the risk of their data being used unlawfully.
Examples of such measures include:
- Notifying your bank about the incident to ensure that extra checks are done by your bank.
- Notifying your bank/financial institution of any suspect transactions.
- Notifying your telecom provider to ensure they make you aware of any requests to redirect your phone calls/messages to reduce unauthorised attempts to bypass multi-factor authentication.
- Obtaining periodic credit checks to monitor for suspicious activity. Further information on credit checks can be obtained at https://www.idcare.org/fact-sheets/credit-reports-australia.
- Changing your email passwords.
- Enable Multi Factor Authentication on any sensitive accounts you may have such as banking and financial institutions.
- Changing any PIN/password for accounts that includes part or all of the data that may have been accessed (eg. Birth date in password, street address in password etc.).
- Notifying the Australian Federal Police if you suspect you have been subject to identity theft.
- Contact the Australian Taxation Office Client Identity Support Centre if you suspect the misuse of a TFN.
Costa Group Interim CEO Harry Debney noted –
“This is a malicious attack, which was sophisticated in its execution. Our first concern is for the impact this may have on our current and former employees. With this firmly in mind, we continue to do everything we can to minimise any adverse consequences and to strengthen our cyber security protections. I can also confirm that no core business applications were accessed, nor was any customer or supplier data comprised by the attack.”
Costa understands that what has occurred may cause concern and uncertainty, which is why we have set up a dedicated number to contact for any potentially impacted workers who may have questions or concerns about this incident.
The number is 1300 282 470 and will operate for the next month from the date of this statement. It is available to contact Monday to Friday, between the hours of 9am to 5pm (AEDT). If dialling this number, please select option 1.
Queries can also be emailed to cybersecurity@costagroup.com.au
We sincerely apologise to any one affected and are committed to minimising the impacts of this event and ensuring that similar events do not occur in the future.
General enquiries about this statement contact Michael Toby: +613 8363 9071