Cyber Incident Victim: Telstra

On or around September 26, 2022, Telstra became aware of a data breach involving information from a third-party supplier, Pegasus Group Australia, which operated the now-defunct Work Life NAB platform. This platform previously supported an obsolete Telstra employee rewards program and was utilized by multiple organizations beyond Telstra. The breach resulted in the exposure of basic employee data from 2017, specifically first and last names alongside email addresses used to register for the rewards program. No Telstra systems were compromised in the incident, and no customer account information was stored on or accessed from the third-party platform. The breached data appeared on the internet, though the exact method of unauthorized access to Pegasus Group Australia’s systems was not disclosed. Telstra emphasized that the event was not isolated to their organization, with several other companies also impacted by the same third-party breach.

Telstra notified its current employees shortly after confirming the breach during the week of September 26, 2022, and committed to attempting outreach to former employees despite assessing the risk to them as low. The company clarified that the Work Life NAB platform was no longer operational at the time of the breach. Telstra engaged collaboratively with Pegasus Group Australia, a subsidiary of MyRewards International Ltd, to investigate the root cause and evaluate any further potential impacts. No additional technical details regarding containment measures or forensic findings were disclosed. Updates were promised via Telstra’s exchange portal and social media channels if the situation evolved, though no subsequent material developments were reported in the immediate aftermath of the initial disclosure.