MotorCycle Holdings

Summary

ASX-listed MotorCycle Holdings Limited (MTO) disclosed on April 8, 2024 that a threat actor gained unauthorized access to web servers hosted by a third-party vendor for two of its MOJO Motorcycles brand websites—Sherco and Lambretta. The attacker inserted malicious code that may have exposed customer contact information submitted through web forms. The company's internal systems remained secure and unaffected, with the investigation concluded by April 29, 2024.

What Happened

On April 8, 2024, MotorCycle Holdings and its wholly owned subsidiary MOJO Motorcycles became aware of a cyber incident involving unauthorized access to two motorcycle brand websites operated by a third-party hosting vendor. The affected websites marketed the Sherco and Lambretta motorcycle brands in Australia.

The threat actor successfully gained access to the web server that hosted both websites and inserted malicious code. This malicious code potentially captured customer information submitted through web forms on the sites, including contact requests, newsletter signups, or inquiry forms.

The attack was limited to the third-party vendor's hosting infrastructure and did not compromise MotorCycle Holdings' internal corporate systems, databases, or other company platforms. The breach specifically affected customer data stored on the server related to web form submissions from visitors to the Sherco and Lambretta branded websites.

MotorCycle Holdings announced the conclusion of its investigation on April 29, 2024, approximately three weeks after initial discovery, indicating a relatively contained incident with clear scope boundaries.

Impact on Individuals

The breach potentially exposed personal information of customers who had submitted web forms on the Sherco and Lambretta motorcycle websites, including:

• Full names
• Email addresses
• Phone numbers
• Physical addresses
• Any additional information provided in contact or inquiry forms

The affected individuals likely included:

• Prospective motorcycle buyers who submitted inquiry forms
• Current customers seeking information or support
• Newsletter subscribers
• People requesting quotes or dealer information

The risks to affected individuals include:

• Targeted phishing: Attackers could use motorcycle brand knowledge to craft convincing phishing emails
• Spam and unsolicited marketing: Contact information could be sold or used for unwanted communications
• Social engineering: Knowledge of motorcycle interest could be used in scam attempts
• Limited identity theft risk: While contact information alone poses lower identity theft risk compared to financial or identity documents, it contributes to profiles used in more sophisticated attacks

The impact was somewhat mitigated by the limited scope of data exposed (contact information only, no financial or payment details) and the relatively small customer base of specialty motorcycle brand websites compared to major retailers.

Organisational Response

MotorCycle Holdings disclosed the breach on April 8, 2024 and began notifying affected individuals whose information may have been exposed. The company published an "Affected Individuals Notification" on its corporate website explaining the incident and what data was potentially compromised.

The company took immediate steps to:

• Investigate the extent of the breach with cybersecurity specialists
• Work with the third-party hosting vendor to remove malicious code and secure the servers
• Assess which customer records were potentially accessed
• Notify affected individuals directly

As an ASX-listed company, MotorCycle Holdings fulfilled continuous disclosure obligations by announcing the breach investigation and subsequent conclusion to shareholders and the market. The April 29, 2024 announcement confirmed that the investigation was complete and the incident had been contained.

The company emphasized that its internal systems remained secure throughout the incident, with no evidence of compromise to corporate networks, financial systems, or other operational platforms. This containment to the third-party vendor's infrastructure limited the potential damage and enabled relatively swift resolution.

The incident highlighted supply chain security risks, where even limited-scope websites operated by third-party vendors can create data exposure risks for the primary organization. While MotorCycle Holdings' core systems were not compromised, the company bore responsibility for notifying customers and managing the breach response for websites operated on its behalf.

[extra.impact] affected_individuals = 0 individuals_note = "" data_volume_gb = 0 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++