Cyber Incident Victim: Pont3

On October 6, 2016, Pont3, an Australian event organizer, experienced a data breach when an unauthorized party accessed its mailing list management service account. The attacker used legitimate credentials to log into the account, immediately changed the password, and exported subscriber data before the company detected the intrusion. The password change triggered an automated alert that notified Pont3’s team, prompting them to contact both their mailing list provider and the New South Wales Police. The mailing list provider confirmed the unauthorized access and temporarily suspended Pont3’s account during the investigation. Law enforcement determined the attacker had stolen subscriber information, including names, mailing addresses, phone numbers, and email addresses, but confirmed no financial data was compromised since such details were never stored in the mailing lists. The breach impacted individuals who had subscribed to newsletters or events organized by Pont3, including the Sydney Running Festival, Electric Run, Sydney Harbour 5k and 10k runs, Warrior Run, and the Manly Inflatable Boat Race.

New South Wales Police published an advisory warning affected individuals about potential phishing, spam, smishing, pretexting, and social engineering attacks stemming from the stolen data. Pont3 delayed notifying subscribers for one week at the request of law enforcement and cybersecurity experts investigating the incident. The company emphasized that the breach was confined to its mailing list service and did not affect other systems or financial records. Both Pont3 and authorities focused on mitigating risks to victims by urging vigilance against fraudulent communications. The intrusion’s origin remained unclear, with investigators unable to confirm whether it involved a disgruntled employee or external credential theft at the time of the public disclosure on October 13, 2016.