This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Firstmac

Summary

Firstmac, Australia's largest non-bank mortgage lender, suffered a ransomware attack by the newly emerged EMBARGO group on April 30, 2024. The attackers claimed to have exfiltrated over 500 gigabytes of data including customer databases, source code, and highly sensitive personal information such as tax file numbers—one of Australia's most critical identity documents.

What Happened

On April 30, 2024, Firstmac discovered that an unauthorized third party had accessed a limited part of its IT system. The Brisbane-based mortgage lender immediately began investigating the incident with cybersecurity specialists. The same day, the EMBARGO ransomware group claimed responsibility for the attack on their dark web leak site.

EMBARGO, a newly emerged ransomware operation, encrypted Firstmac's servers and exfiltrated approximately 500GB of sensitive data before encryption. The group claimed the stolen data included "full databases, source codes, [and] sensitive customer data," demonstrating a sophisticated double-extortion attack.

The timing of the public disclosure coincided with EMBARGO's claim, suggesting the ransomware gang may have forced Firstmac's hand by threatening to publish stolen data. The attack on a major financial institution by a new ransomware player highlighted the evolving threat landscape and the targeting of Australia's financial services sector.

Impact on Individuals

Customer notifications confirmed that the breach exposed highly sensitive financial and identity information including:

  • Tax File Numbers (TFN): Australia's most sensitive government identifier, used for taxation and government services
  • Full names and dates of birth
  • Contact information: email addresses, phone numbers
  • Physical addresses
  • Financial data related to mortgage and term deposit accounts

The exposure of Tax File Numbers is particularly serious because:

  • TFNs cannot be changed like passwords or credit cards
  • They provide access to Australian Tax Office records and government services
  • Criminals can use TFNs for identity theft, fraudulent tax returns, and government benefit fraud
  • TFN misuse can create long-term tax complications for victims

The combination of TFNs with names, dates of birth, and addresses provides everything needed for comprehensive identity theft. Victims face permanent risks as TFNs remain valid for life and the stolen information cannot be revoked.

Organisational Response

Firstmac immediately notified affected customers whose personal information was contained in the impacted files. The company partnered with IDCARE, Australia's national identity and cyber support service, to provide free assistance to affected individuals.

Firstmac issued specific guidance to customers:

  • Contact the Australian Tax Office (ATO) to enable extra monitoring on tax accounts
  • Be vigilant for scams and phishing attempts impersonating Firstmac or the ATO
  • Monitor credit reports and financial accounts for suspicious activity
  • Report any unusual tax or government correspondence to authorities

The company worked with the Australian Cyber Security Centre and law enforcement to investigate the breach and pursue the EMBARGO ransomware gang. Given the exposure of TFNs, Firstmac also coordinated with the ATO to implement protective measures for affected customers' tax records.

The incident marked one of the first major attacks claimed by the EMBARGO ransomware group, which emerged in early 2024 as a new threat to Australian organizations. The group's successful targeting of a major financial institution demonstrated sophisticated capabilities and willingness to attack critical financial infrastructure.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 500 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++

Verification Source: View original statement