Australian GPS and driver licence data has been offered up for sale in an alleged data breach targeting fleet management and GPS tracking provider Teletrac Navman.
The alleged data leak appeared on a hacking forum in early July, when a user named ‘laserscript’ claimed to have compromised “continuous real-time GPS tracking data” for 2,988 companies across Australian and New Zealand.
The company – which provides telematic and GPS tracking for vehicle fleets – was allegedly robbed of sensitive information related to a 48-hour window in late June.
The dataset was allegedly exfiltrated from Teletrac Navman, a US-headquartered provider with offices in Melbourne, Sydney, and New Zealand.
“This is the LIVE PRODUCTION TELEMETRY FEED [sic],” wrote the threat actor.
“Every vehicle, every driver, every position update, continuously streamed for 48 hours.”
Laserscript claimed to have acquired more than 670,000 unique GPS position records, along with the “rego + VIN + make/model [sic]” for more than 30,000 unique vehicles.
As reported by threat intelligence platform Daily Dark Web, the personal information of nearly 8,400 drivers was also allegedly compromised.
This data purportedly included over 6,100 email addresses, over 3,200 mobile numbers, and over 1,200 driver licence numbers.
“If authentic, exposure of live fleet telematics data poses risks beyond privacy,” wrote Daily Dark Web.
.jpg)
Alleged GPS data was advertised for sale on an underground forum. Source: Daily Dark Web
“Vehicle locations, movement patterns, driver identities, and operational routes could be exploited for physical surveillance, cargo theft, corporate espionage, and attacks against critical infrastructure operators.”
Teletrac Navman has been contacted for comment but did not respond prior to publication.
Hacker lists government, critical infrastructure victims
Laserscript named a handful of the near-3,000 organisations involved in the alleged breach – including some Australian and New Zealand government organisations and critical infrastructure providers.
The hacker claimed some 4,800 GPS positions and 234 vehicles for Gold Coast City Council were among the stolen data, along with 5,600 positions and 312 vehicles for New Zealand’s state-owned rail operator KiwiRail.
Other alleged victims included Australia's largest private rail freight operator Pacific National, water and waste management company Veolia, mining giant BHP’s Newman Operations, and more.
It is unclear precisely how many Australian organisations use Teletrac Navman, though the Transport Certification Australia website lists the company as an approved service provider under Australia’s National Telematics Framework.
Aldi and Lindsay Australia among alleged victims
According to the leak post, the bulk of the extracted data relate to major commercial entities.
Among others, the threat actor named supermarket chain Aldi Stores Australia, transport and logistics company Lindsay, and transport rental company Rentco.
The hacker did not list a price for the data, though they encouraged potential buyers to reach out via encrypted messaging platforms to receive a 1,500-line sample of the 7.7 gigabyte dataset.
This sample has reportedly been downloaded by enough people to trigger a 1,000GB monthly download limit on its hosting provider.
When contacted by Information Age, the Office of the Australian Information Commissioner (OAIC) did not confirm or deny whether it has received any communications for a notifiable data breach relating to Teletrac Navman.
“Generally, organisations covered by the Privacy Act have 30 days to assess whether a data breach is likely to result in serious harm and to notify the OAIC under the Notifiable Data Breaches scheme,” a spokesperson told Information Age.
Cyber expert warns of long-term risks
Jamieson O’Reilly, white hat hacker and founder of information security company Dvuln, warned that if the breach proves authentic, the consequences could “reach considerably further” than privacy and identity risks alone.
“We have moved well past the era in which attackers seized a dataset simply to monetise stolen identities through fraud,” O’Reilly told Information Age.
“The more capable groups now treat a breach as raw material, something to be studied and leveraged with patience and intent.”
O’Reilly explained that while those who purchase the data are unlikely to “sit watching these GPS feeds in order to steal thousands of vehicles overnight”, the alleged dataset could be used for convincing social engineering campaigns.
“When somebody makes contact posing as a party you have every reason to trust, and they already hold details that check out cleanly, the vehicle, its VIN, the driver's name, their mobile number, their licence, the target is left with almost no natural reason to hesitate,” he said.
O’Reilly also noted that international threat actors could benefit from purchasing the data from a forum user with no obvious “state affiliation”.
“The original intruders absorb the attribution and the scrutiny, while others quietly acquire the material and put it to whatever use suits them,” he said.
“When that material describes the movement patterns, driver identities and operational routes of government bodies, rail operators, utilities and major logistics firms, it becomes precisely the sort of long-term intelligence that such an audience values most.”