Cyber Incident Victim: Pegasus Airlines
Date:
May 2022
Location:
Australia
Summary
A phishing attack compromised an employee's email account at an Australian pension provider, exposing personal data of approximately 50,000 individuals. The breached information included names, addresses, contact details, member account numbers, and balances from specific years, but excluded sensitive identifiers like government-issued numbers or bank details. The incident resulted from human error during a widespread phishing campaign, bypassing multi-factor authentication. The organization detected and contained the breach promptly, confirming no further systems were impacted. Enhanced security measures were implemented, and affected individuals were notified while authorities were informed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 19, 2022, Australian pension provider Spirit Super experienced a data breach following a successful phishing attack targeting an employee’s email account. The unauthorized access occurred when a staff member fell victim to a malicious email masquerading as official correspondence, resulting in password compromise. Despite the organization’s implementation of multi-factor authentication (MFA), the attacker gained entry to the mailbox containing personal member data. Spirit Super’s cybersecurity team detected the compromised account promptly, containing the breach to the single mailbox and preventing further system access. An investigation revealed the exposed information included names, addresses, email addresses, telephone numbers, member account numbers, ages as of 2019-2020, and account balances from those years. Approximately 50,000 of Spirit Super’s 325,000 members were affected by this incident, though the organization emphasized the absence of highly sensitive data such as dates of birth, government identification numbers, or bank account details in the compromised dataset.
Spirit Super initiated immediate response measures, including enhanced account controls and a comprehensive review of account activity. The organization notified affected individuals directly while confirming that non-contacted members faced no exposure risks. Relevant authorities, including Australia’s Privacy Commissioner, were formally informed of the breach. Spirit Super characterized the incident as opportunistic rather than targeted, attributing it to human error during a widespread phishing campaign rather than systemic security failures. The company reinforced its IT security protocols following the breach but provided no specific technical details about these upgrades. In communications to members, Spirit Super advised caution regarding public disclosure of potential involvement in the breach, noting no evidence of intentional data access by the attacker and uncertainty about whether the compromised information had been exploited.