Cyber Incident Victim: Contact 121
Date:
Aug 2023
Location:
Australia
Summary
A cyber security breach involving a third-party call center previously contracted by a government superannuation provider resulted in unauthorized access to sensitive member data retained after the contract concluded. The incident impacted over 14,000 individuals, potentially exposing personally identifiable information including names, addresses, and dates of birth, with some records containing additional details. The breach was detected months after the unauthorized access occurred, prompting criticism over delayed disclosure and inadequate data management practices. Authorities confirmed the third party no longer provides services to the government and are investigating why the data was retained. While no other agencies were confirmed affected, the incident highlighted systemic gaps in third-party data retention policies and incident response protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Super SA cyber incident involving third-party provider Contact 121 originated from a 2019 breach at the government superannuation fund, which compromised data of 14,011 members. In 2020, Super SA contracted Adelaide-based call center Contact 121 to manage communications with affected members. After the contract concluded, Contact 121 retained member data without authorization. Between late July and early August 2023, hackers accessed this stored data—marking the second exposure of the same cohort's information. The breach was detected by Super SA on September 1, 2023, though confirmation occurred only on October 4. Internal government notifications followed inconsistent timelines: The Department of the Premier and Cabinet received initial alerts by August 18, while Treasurer Stephen Mullighan was informed nearly eight weeks post-incident on October 12.
Impacted data included names, addresses, birthdates, and potentially additional personal identifiers from the 2019 dataset, with no evidence of post-2020 information exposure. Super SA notified members on October 16, acknowledging uncertainty about whether hackers actually viewed or extracted data but implementing precautionary account security measures. The government terminated all contracts with Contact 121 and confirmed no current agencies used its services. Treasurer Mullighan publicly criticized delayed agency responses and initiated investigations into why Contact 121 retained data post-contract and why breach protocols failed. Opposition figures and cybersecurity experts highlighted systemic vulnerabilities, noting South Australia’s lack of legal mandates for data deletion after vendor contracts expire and reliance on outdated 2018 data management guidelines. The incident exposed approximately 14,000 individuals to potential identity theft risks while revealing gaps in governmental third-party data oversight.