The personal data of millions of Australians may be at risk after cyber criminals stole a reported 1TB of data from Parques Reunidos, a Spanish theme park operator whose multinational portfolio of properties includes Sydney’s popular Raging Waters park.

The Madrid-based company jumped into incident response mode after recently discovering what it describes as “unauthorised external access to our computer systems”, commencing forensic investigations and engaging that country’s Spanish Data Protection Authority (AEPD) about the incident.

Its response included shutting down affected systems and blocking their users; blocking of remote access connections; blocking all users’ passwords; and “temporary isolation” of the company’s data centre.

The company is also expanding its data security tools and running “extraordinary awareness and training actions” to remind users about the risks of ransomware and other potential cybersecurity risks.

Those risks could mean headaches for customers that have frequented Raging Waters Sydney, one of 21 water parks operated by Madrid based Parques Reunidos – whose portfolio of around 60 amusement parks, zoos, family entertainment centres spans Europe and the United States.

The Australian park was acquired by the Spanish company’s Palace Entertainment subsidiary in July 2018 for $40 million – its first foray into Australia and what was planned to be a stepping stone into a range of new sites here and across the region.

New kids on the block

Reports suggest that the attack has been carried out by BianLian, a relatively young ransomware gang whose custom software – with a reported 20 victims so far – exploits well-known vulnerabilities to quietly steal data.

Members have lurked on victim networks for up to six weeks, according to security group Redacted, with the ransom note on infected systems warning victims that “we have been downloading data from your network for a significant time before the attack”.

The data will be posted on the group’s Darkweb site within 10 days if the ransom is not paid, the group threatens its victims, warning that links to the data would be sent to clients, partners, competitors, and news agencies – threatening “potential financial, business and reputational loses [sic].”

BianLian’s ransomware encryption – which is spread through email attachments or clicking on links to malicious Microsoft Office, PDF, ZIP, JavaScript and other files – has already been reverse engineered and a decryptor was published earlier this year.

But the mass publication of “client” information could pose headaches for the millions of people who have attended Raging Waters Sydney since it opened in 2013 – whose personal data is likely amongst the significant volume of data compromised by the attackers.

The stolen data is described as including personal information about company employees; “information and contacts” of the company’s “partners and clients”; information about incidents at the company’s parks; and legal, financial, health, and operational information.

Such multi-pronged attacks are part of a growing trend that has seen ransomware gangs diversifying, rebranding, and networking with other groups to bolster their operations amidst declining ransomware revenues that could, Trend Micro recently warned, see many groups branching out into “adjacent areas” such as business email compromise (BEC), money laundering, and cryptocurrency theft.

Trend Micro blocked over 146 billion threats last year – noting in its latest Annual Cybersecurity Roundup that malicious actors are sneaking into victim networks by exploiting well-known vulnerabilities that have been addressed with incomplete or faulty patches.

Australia had the fifth highest number of malware detections of all surveyed countries, Trend Micro reported, with the second highest percentage of business email compromise (BEC) attacks and detection of malware ‘back doors’ up 116 per cent year-on-year in 2022 as cyber criminals fought to maintain access to victim networks for future attacks.

Raging Waters Sydney had not responded to Information Age enquiries by the time of publication.