This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Finite Recruitment

Summary

Finite Recruitment, a Melbourne-based recruitment agency, was targeted by a ransomware attack in December 2021 that compromised personal data of job seekers who had applied for positions at major Australian organisations. The breach affected applicants to Coles, Westpac, AMP, and the Department of Defence, creating supply chain risks for these organisations.

What Happened

Finite Recruitment's systems were compromised by a ransomware attack linked to a Russian hacking group. The attackers gained access to the recruitment agency's database containing personal information of job applicants, including resumes, contact details, and employment histories.

As a recruitment agency, Finite acts as a trusted intermediary between job seekers and major employers. The breach exposed data that applicants had submitted when applying for positions at client organisations, making this a supply chain attack affecting multiple downstream parties.

The attack was attributed to threat actors operating from Russia, though the specific ransomware variant was not publicly disclosed.

Impact on Individuals

Job applicants who had submitted applications through Finite Recruitment for positions at affected organisations faced exposure of:

  • Personal contact information: Email addresses, phone numbers, home addresses
  • Employment history: Previous positions, qualifications, professional experience
  • Career information: Skills, salary expectations, career goals

The exposed information could be used for targeted phishing attacks, particularly social engineering scams exploiting the job-seeking context. Applicants who had applied for sensitive positions, particularly with the Department of Defence, faced heightened risks.

Organisational Response

Finite Recruitment disclosed the breach to affected client organisations including Coles, Westpac, AMP, and the Department of Defence. These organisations were responsible for notifying their respective job applicants.

The incident highlighted the security risks associated with recruitment agencies that hold sensitive personal data for multiple organisations' applicants.

Impacted Organizations

The following entities have been confirmed as affected by this specific vendor breach:

  • Coles
  • Westpac
  • AMP
  • Department of Defence
Verification Source: View original statement