Sumo

Summary

Sumo, an Australian energy and internet provider, suffered a data breach when customer information was accessed via an unsecured Amazon S3 bucket. The data was posted to BreachForums on May 11, 2024, with Sumo becoming aware of the incident on May 13, 2024.

Attack Vector

The breach occurred through a misconfigured Amazon S3 bucket named sumo-public-share.s3.amazonaws.com, which was used as a third-party file storage application by Sumo. The unsecured bucket allowed unauthorized access to customer documents and personal information without requiring authentication.

Consumer Impact

Approximately 40,000 customers were affected, with exposed data including full names, addresses, dates of birth, mobile phone numbers, credit scores, license numbers, and approximately 3,000 Australian passport numbers. The severity of exposed identity documents combined with credit score information creates significant identity theft risk for affected customers.

Response

Sumo sent email notifications to all 40,000 impacted individuals detailing the types of compromised personal information. The company reported the incident to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre. Sumo partnered with IDCARE, Australia's national identity and cyber support community service, to provide ongoing support to affected customers. The company confirmed that none of Sumo's core systems were affected, with the breach limited to the third-party file storage application.