Tax file numbers and superannuation details have been listed in an alleged data breach targeting Australian provider Accounting and Adviser Services Pty Ltd (AAS).

In a post to an underground hacking forum on Tuesday, a prominent threat actor claimed to have acquired more than 33,900 records from AAS.

AAS, also known as AA Solutions, is a Sydney-based bookkeeper specialising in tax, self-managed super fund (SMSF) administration, and investment and portfolio administration.

In a section of the post about the leak titled ‘extent of breach’, the hacker listed dozens of data fields purportedly related to client and company names, residential and business addresses, email addresses, phone numbers, and a slew of financial details.

The post included alleged tax file numbers (TFNs), portfolio values, risk profiles, SMSF information, trustee details, account manager and adviser details, ABNs, and more.

In plain-text samples shared on the dark web, the hacker named what appeared to be at least four separate accountants and consultants in New South Wales and Melbourne, as well as numerous SMSF’s members and directors.

Rizwan Mahmood, chief executive and co-founder of Australian cybersecurity company Guardware, said the combination of separate financial data made the alleged breach particularly serious.

“A TFN paired with SMSF trustee information, risk profiles, and actual portfolio values gives a scammer a complete financial blueprint,” said Mahmood.

The hacker reportedly advertised three separate datasets for the alleged breach, all of which could be purchased with Bitcoin and other cryptocurrencies.

AAS has been contacted for comment but did not respond prior to publication.

Alleged exposure could last “years”

Mahmood added that using the allegedly leaked data, a scammer could know “who you are, how much you have, how you handle money, and the legal structure governing your retirement savings”.

“That is everything needed to make an impersonation approach highly convincing,” he said.

Mahmood also emphasised the financial data involved in the alleged incident “doesn't expire”.

“The people in this breach will be carrying that exposure for years,” he said.

Cyber expert Rizwan Mahmood said the breach is especially serious due to the financial nature of the information alllegedly stolen. Photo: LinkedIn

For those whose TFN or superannuation details are potentially exposed, Mahmood said the best course is to contact the Australian Taxation Office to activate additional verification measures and flag any affected tax file numbers as compromised.

“Update your myGov credentials and enable two-factor authentication,” said Mahmood.

“If you have an SMSF, review recent account activity with your trustee and be extremely cautious about unsolicited contact from anyone claiming to represent the ATO or your super fund.”

Prolific hacker approaching 30 Australian victims

Going by the forum handle ‘2019’, the threat actor has claimed responsibility for data leaks impacting at least 26 Australian companies since February.

Prior to AAS, their most recent target was national charity Lifeline, which confirmed it was victim to a data breach after limited staff and volunteer data appeared in a dark web post on Sunday.

Though the threat actor has a track record of legitimate data breaches, there have been multiple instances where their forum posts were at least partially refuted.

In June, government service Centrelink refuted the hacker’s claim that over 2,100 records from the service had been stolen.

As for the Lifeline incident, a company spokesperson said some information in the hacker’s post had seemingly been “doctored to include falsified information”.

Information Age understands the threat actor has published the bulk of their exploits on the same underground dark-web forum, where they sport a high-value “reputation” score for their repeated leak posts and peer endorsements.

At the time of writing, 2019 has not been identified nor attributed to any particular nation state or hacking group.

Mahmood said while he would expect the Australian Signals Directorate and Australian Federal Police are actively working to identify the threat actor, the data from their existing breaches is “already out and cannot be recalled”.

“The next actor will find the same doors open, because the underlying problem hasn't changed,” said Mahmood.

“If the files [allegedly] exfiltrated from AAS had been persistently encrypted at the file level, with keys held by the organisation rather than the infrastructure, a breach of the perimeter would have yielded nothing usable.

“We have spent a generation building better ‘castle walls’, but the data is still getting out.

“It is time we focused on protecting the data itself.”