Guests and staff of Australian hotel and property giant Meriton have been caught up in a significant cyber attack, with personal information such as birth certificates, employment details and health information potentially exposed to hackers.
Meriton first became aware of the cyber security incident on 14 January – since then, the company's forensic analysis team has identified 35.6 gigabytes of data which may have been compromised by an "unidentified third party".
"Meriton’s forensic analysis team identified 35.6GB of data to be potentially impacted by the incident," said Meriton.
"Affected individuals include guests, as well as past and present employees of Meriton Suites that have received a notification letter from Meriton," it added.
Among the 1,889 people Meriton said were "potentially affected" by the incident, the company's staff members seem to face the widest range of damages.
The company warned staff that cyber criminals may have accessed data relating to their health information, bank accounts, tax file numbers and employment information – the latter of which includes salary information, disciplinary histories, and performance appraisals.
While the scale of this incident pales in comparison to the recent Latitude Financial breach which impacted 14 million customers, experts have raised concerns over the sensitive nature of the data involved in the Meriton attack.
During the hack, certain guest health information relating to hotel incident reports – such as when an ambulance is called for injury – may have been breached, including any information regarding a guest’s health at the time of an incident.
Meriton also notified potentially affected guests that their contact details may have been compromised and issued a broader safety warning on its website for those impacted.
"Do not respond to any email, telephone or social media communications that you consider suspicious and if you are unsure, call the sender of the communication to confirm their legitimacy," said Meriton.
"Do not provide any personal information or transfer money to any unknown party," it added.
According to Meriton, all 1,889 of the people potentially affected by this incident have been personally notified.
In its letter to those affected, the luxury developer downplayed the severity of the incident and said it had no evidence suggesting stolen information had been used in criminal activity.
"We have no evidence that this cyber incident was directed towards any specific individual, and our investigation has revealed no evidence that your information has been misused," the company said.
Meriton also said it has been taking "all available steps" following the incident to "protect against future risk to data and prevent recurrence".
The company boasts working alongside leading cyber security and forensic IT professionals after the attack, and said it has worked to implement enhanced cyber security measures such as network monitoring.
Meriton has informed both the Australian Cyber Security Centre and the Office of the Australian Information Commissioner (OAIC) of the incident.
Crown Resorts investigates ransom gang claims
Meanwhile, Australia's largest gaming and entertainment group Crown Resorts has launched investigations into a potential data breach of its own, after a ransomware group claimed to have obtained Crown files through a third-party breach on GoAnywhere.
GoAnywhere is a file transfer service at the centre of countless security incidents over the past month, including a recent data breach at Rio Tinto.
A Crown Resorts spokesperson said no customer data has been compromised to date, and business operations have not been impacted.
“We are continuing to work with law enforcement and have notified our gaming regulators as part of the ongoing investigation and will provide relevant updates, as necessary,” the spokesperson said.
