PNORS group providing services to the governmental departments has been a victim to cyberattacks
PNORS Technology Group confirmed on Saturday that two of its businesses, Datatime and Netway, were the target of a cyber attack on November 3.
PNORS Technology Group provides services to government departments and owns five companies which provide a range of technology services to more than 1,000 clients.
“The impacted PNORS Technology Group businesses deal with document and data capture, digital conversion and managed IT support for a number of external clients, including government departments,” PNORS chief executive Paul Gallo said.
“Initial investigations by cyber security experts indicated this incident was limited to systems being encrypted and locked.However, overnight the criminals behind the cyber attack released to the company in a private communication a sample of what is believed to be stolen data.”
The Victorian Department of Premier and Cabinet (DPC) said it was determining whether data held by the state had been exposed in the breach.
A DPC spokesperson said the government was continuing to provide support to PNORS Technology Group to determine the extent of the information breach . The spokesperson also said that the government was trying to prevent such incidents.
At an election announcement about support for Victorian veterans on Sunday, Premier Daniel Andrews said the details of the breach were still being confirmed.
“You can have a breach — whether anybody accessed anything, took anything, viewed anything — that’s not necessarily the same as the fact the first firewall was breached,” he said.
“It’s just important that we confirm the facts and as soon as we do that, we’ll have more to say.”
PNORS said it immediately notified affected clients on November 3, contacted state and federal police and engaged external cybersecurity experts.
The Office of Australian Information Commissioner has been notified.
“The extent of the data breach is still being investigated and we are working closely with all authorities to assess how many of our clients have been impacted and the nature of the data that has been stolen,” Mr Gallo said in a statement.
“When we were informed about the cyber attack we immediately shut down and isolated all our internal systems and took further measures to secure our network and data, along with pausing all data processing.”
The Victorian DPC spokesperson said the Victorian Government’s Cyber Incident Response Service had been notified.
“Protecting Victorian data and systems is our highest priority,” the DPC spokesperson said in a statement.
“If it is determined that Victorian government data has been exposed as a result of this breach, departments will notify impacted individuals and provide advice on steps they can take to minimise any risk.”
It is the latest in a string of data breaches at high-profile targets, starting with telco Optus in late September.Australia’s data breach notification laws require companies with an annual turnover of $3 million or more to notify the privacy commissioner about exposed customer data, so it is possible smaller companies have been exposed without making it public.
A security expert last month warned “a decade of anti-security policy” had left Australia open for attacks.
Another this week warned hackers would now see Australia as “a soft target” in light of the recent breaches.
Attorney-General Mark Dreyfus last week introduced a bill to amend the Privacy Act to the penalty for large data breaches to a minimum of $50 million.
The current maximum penalty for serious or repeated breaches of privacy is about $2 million.
The DPC spokesperson urged people to visit IDCARE for information about how to protect personal information and ScamWatch for information about online scams.