Cyber Incident Victim: Data#3 Limited
Date:
Aug 2020
Location:
Australia
Summary
Data#3 Limited experienced a cybersecurity incident involving an overseas third party, prompting an ongoing investigation. The company proactively notified 28 affected customers and engaged forensic experts to assess the breach. While the incident was deemed not reportable under national data breach regulations due to insufficient risk of serious harm, its significance led to disclosure to the stock market.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Data#3 Limited, an Australian IT vendor, publicly disclosed a cybersecurity incident on August 26, 2020, through a filing with the Australian Securities Exchange (ASX). The company characterized the event as a "cyber incident" involving an overseas third party, though it did not specify the nature of this third party's involvement or the exact attack vector. Data#3 immediately initiated an investigation into the incident, indicating the event was recent enough to warrant ongoing scrutiny at the time of disclosure. The company proactively contacted 28 customers identified as impacted by the breach, though the specific criteria for determining impact or the type of compromised data remained undisclosed. Concurrently, Data#3 engaged a forensic investigator to analyze the incident and prepare a formal report, suggesting the breach required specialized technical analysis to determine its scope and origin.
The company asserted that preliminary findings indicated the incident did not meet the threshold for mandatory reporting under Australia's Notifiable Data Breaches (NDB) scheme, which requires disclosure only when breaches are likely to cause "serious harm" to individuals. Despite this assessment, Data#3 deemed the incident materially significant enough to warrant disclosure to shareholders via the ASX, reflecting potential operational, reputational, or financial implications. No details were provided about affected systems, data types, attacker methodologies, or detection timelines, leaving the technical scope undefined. Data#3 acknowledged that the investigation might necessitate further response actions pending its conclusions, leaving open the possibility of additional containment or remediation measures. The selective notification of 28 customers—coupled with the absence of regulatory reporting—implied a contained impact scenario, though the company’s decision to publicly announce the breach underscored its perceived operational significance within corporate governance frameworks.