ZircoDATA responds to ransomware attack

Business Process Outsourcer (BPO) ZircoDATA has been targeted in a ransomware attack by a criminal organisation which has published details of 395GB of data that has been allegedly compromised, including Australian ImmiCard numbers.

ZircoDATA is a global organisation that has been operating in the Australian market since 2016 when it acquired Iron Mountain’s domestic records and information management business. It has since acquired a number of Australian specialist Records Management and document processing businesses.

Black Basta is a ransomware operator and Ransomware-as-a-Service (RaaS) criminal enterprise that targets organizations in the US, Japan, Canada, the UK, Australia, and New Zealand. It uses a double extortion tactic, encrypting and publishing data on a public leak site.

Black Basta claimed to have obtained financial documents, personal user folders, and confidentiality agreements from ZircoDATA. It announced March 1 as the deadline for a ransomware payment not to reveal more.

According to reports, it has posted a large number of documents to prove the validity of the hack, including passport scans and immigration documents, including Australian migration status cards with ImmiCard numbers.

ZircoDATA has more than 9000 customers across Australia, according to the company Web site, which are provided with “secure document storage and records lifecycle solutions.”

The company has responded that it had discovered a network hack on February 8, 2024 that encrypted some files, and then became aware on February 22 of an allegation on the dark web that some data has been stolen.

It acknowledged that “some personal information [of ZircoDATA employees] was published as part of a sample on the dark web.

“At this stage, our investigation has not identified any evidence suggesting that personal information relating to our customers (or their customers) has been impacted. Please understand that the investigation is ongoing,” it stated.

The Australian Cyber Security Centre, the Australian Federal Police and the Office of the Australian Information Commissioner have been notified of the incident.

According to the World Economic Forum, Ransomware activity alone was up 50% year-on-year during the first half of 2023 with so-called Ransomware-as-a-Service (RaaS) kits, where prices start from as little as $US40, a key driver in the frequency of attacks.

“Gangs are also carrying out more attacks faster, with the average number of days taken to execute one falling from around 60 days in 2019 to four. Most ransomware attacks now involve the theft of personal or sensitive commercial data for the purpose of extortion, increasing the cost and complexity of incidents, as well as bringing greater potential for reputational damage.

“Our analysis of large cyber losses (€1 million+) in recent years shows that the number of cases in which data is exfiltrated is increasing – doubling from 40% in 2019 to almost 80% in 2022, with activity in 2023 tracking even higher.”