This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Arrotex Pharmaceuticals (DBG Health)

Summary

Arrotex Pharmaceuticals, a business unit of DBG Health (Australia's largest health, wellness, and beauty company by volume), was compromised by the Morpheus ransomware gang on 25 August 2024. The attackers claimed to have exfiltrated 2.5 terabytes of sensitive corporate and employee data, including passport scans which were posted to the dark web as proof of the breach.

What Happened

On 25 August 2024, the Morpheus ransomware group attacked a DBG Health storage server and exfiltrated approximately 2.5TB of data. Morpheus is a relatively new ransomware operation, and this attack on Arrotex Pharmaceuticals appeared to be one of their first major victims.

Arrotex Pharmaceuticals was created in 2019 through a merger between Apotex Australia and Arrow Pharmaceuticals. The company is a major player in Australian pharmaceutical distribution and manufacturing.

The attackers posted employee passport scans on their dark web leak site to demonstrate the authenticity of the breach and put pressure on the company to pay a ransom.

Impact on Individuals

According to the Morpheus ransomware gang, the stolen data includes:

  • Employee passport scans and personal identification
  • Confidential internal documents
  • Recruitment and HR information
  • Salary and employment data
  • Information about business partners
  • Case reviews and clinical data
  • Sales and distributor information
  • Business plans and strategic documents
  • Compliance documentation
  • Internal file structures and system information

While the exact number of affected individuals was not disclosed, the breach likely impacts:

  • Current and former DBG Health/Arrotex employees
  • Job applicants whose information was in recruitment systems
  • Business partners and contractors
  • Potentially patient data if clinical information was compromised

The exposure of passport scans is particularly concerning as these government identity documents can be used for sophisticated identity theft and fraud.

Organisational Response

DBG Health has not issued a public statement about the breach at the time of initial reporting. The company likely engaged cybersecurity forensic experts to investigate the incident and assess the full scope of the data compromise.

As DBG Health is described as Australia's largest health, wellness and beauty company by volume, the breach represents a significant incident in the pharmaceutical and healthcare supply chain sector.

Significance

This breach demonstrates the ongoing targeting of Australia's healthcare sector by ransomware gangs. The pharmaceutical industry is particularly attractive to attackers due to:

  • Valuable intellectual property (drug formulations, research data)
  • Sensitive patient and clinical information
  • Complex supply chains with multiple stakeholders
  • Critical nature of operations (pressure to pay ransoms to avoid disruption)

Morpheus listing Arrotex as one of their first victims suggests this newer ransomware group is targeting high-value Australian organizations to establish their reputation in the cybercrime ecosystem.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 2500 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement