Compass Group

Summary

Compass Group Australia, the country's largest food and support services company, became aware of unauthorized activity in its IT network on September 4, 2024. The Medusa ransomware gang claimed to have stolen 785.5 gigabytes of data, demanding $2 million to delete the information or offering to sell it. The company was targeted a second time later in September.

Attack Vector

The Medusa ransomware gang breached Compass Group's network and exfiltrated 785.5GB of data, threatening to publish it within eight days if ransom demands were not met. An affiliate of Medusa targeted the company for a second attack later in September 2024, with another tranche of data exfiltrated and posted on September 18, demonstrating persistent targeting of the organization.

Consumer Impact

Medusa shared documents allegedly stolen during the attack including wage declarations belonging to Compass Group employees and scans of international passports and driver's licenses, possibly belonging to contractors. Compass Group employs 13,000 people and provides food services to education, mining, defense sectors, hospitals, and aged-care facilities. The dual attacks created prolonged exposure risk for employee personal information.

Response

Compass Group immediately activated its incident response plan and engaged third-party forensic experts, proactively disabling affected systems to remove the threat. The company notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, both of which continued to assist. As a wholly-owned subsidiary of UK-based Compass Group, the Australian operation coordinated response efforts with parent company resources.