The Australian State of New South Wales' reproductive and sexual health organisation Family Planning NSW has advised users of an April 2018 ransomware attack that may have compromised sensitive information.
The agency apparently retained web form messages on the public-facing server, meaning if its database was breached, attackers would have access to individuals' messages to Family Planning.
The organisation said it's contacting up to 8,000 clients to advise them of the April 26 event, and at the time of writing, its Website carried the message “Our website is getting a security update”.
The agency says it was one of several “targeted by these cyber criminals requesting a Bitcoin ransom on ANZAC Day* [April 25th]”. The organisation's message says the site was “secured by 10am on April 26”, and “more sensitive medical records held internally were never under threat”.
Family Planning NSW says it has contacted the Australian Federal Police about the attack.
As writer Lauren Ingram pointed out on Twitter, even the contents of a contact form can contain sensitive information: “People contact Family Planning NSW for everything from contraception and advice on unplanned pregnancy/abortion, to cervical cancer screenings, STI tests, vasectomies and men’s sexual heath”, she noted.
Family Planning told The Register while there was a demand for ransom, “According to a security analysis by our webhost, they did not attempt to encrypt data let alone succeed.”
The attackers put a message on the site threatening to shut it down unless they were paid AU$15,000 in Bitcoin, CEO Ann Brassil told a press conference today.
The sensitivity of the information brings any potential breach under Australia's Notifiable Data Breaches Scheme, which launched in February 2018 (it's administered by the Office of the Australian Information Commissioner – there's an explainer here). ®
* Australian and New Zealand's equivalent of the UK's Remembrance Day and the USA's Memorial Day.