In a statement, the organization confirmed that 50,000 member records were compromised in the breach, but only some sets of personal data were exposed. Spirit Super said it quickly contained the security breach (update editorial team: statement currently not available online anymore). The incident is now being actively investigated, and all potentially affected members have been notified via SMS, email, or letter. The motive for the attack is still unclear, and the threat actor responsible for the phishing scam is unknown.
Human Error Led to Data Breach
On May 19th, 2022, an unnamed Spirit Super staff member’s email account that contained member records was breached in a phishing scam. Spirit Super insists that the breach was due to “human error” rather than a system failure or weakness in its cybersecurity measures. The attackers successfully bypassed Spirit Super’s multi-layer security provisions, which include multi-factor authentication (MFA) — meaning this was a sophisticated attack. The organization believes it was the victim of a “broad phishing attack campaign,” and was not specifically targeted. Although a malicious party gained access to the staff’s mailbox where member records were held, “they [the malicious party] may not be aware that they have this information,” Spirit Super said.
Compromised Personal Data
According to Spirit Super, the data that was compromised dates back to June 2019 and 2020 and does not include passwords, dates of birth, government ID numbers (such as tax file numbers or driver’s license information), or bank account information. The compromised data includes Spirit Super member numbers, titles, first names, surnames, email addresses, home phones, mobile phones, addresses, members’ ages, and account balances. “There were no government identifiers in the data and there is minimal risk of identity theft or fraud as a result of the limited data set,” the organization noted.
How is Spirit Super Handling the Incident?
Spirit Super said it is taking extensive measures to secure accounts and protect member data, such as blocking financial transactions from potentially affected accounts, reviewing account activity, and enforcing new account control measures. The organization is also taking steps to consolidate its internal cybersecurity staff training, as well as notifying authorities, including the Privacy Commissioner. “We will take immediate precautions to further strengthen our IT security and reduce future risk of cyber incidents,” Spirit Super noted in its statement. The organization said it will update its website with “any information that comes to light.” Meanwhile, Spirit Super has cautioned its members to be vigilant about scammers reaching out to them via phone, email, or otherwise asking for personal details. The organization recommends that members do not post about this incident on their social media to avoid drawing attention to themselves until further notice.
Increasingly Sophisticated Phishing Campaigns
Phishing campaigns are becoming more sophisticated and broad. As a result, organizations are increasingly getting caught in the net as bycatch. There have been cases of phishing emails bypassing email security filters and multi-factor authentication. For these reasons, the industry is moving towards more bulletproof methods of identification, such as biometric access and uncrackable encryption. To protect yourself from socially engineered scams like email phishing, it is advisable that you always check the sender’s address and the URL when you receive an email. Keep in mind that a legitimate business entity will never ask you for your personal details via email.