Cyber Incident Victim: Costa Group
Date:
Aug 2022
Location:
Australia
Summary
A sophisticated phishing attack compromised a single server at Costa Group's Australian berry operations, potentially exposing sensitive employee information including passport details, tax file numbers, and financial records. While approximately 10% of the affected server's data was accessed, the encryption of downloaded files prevented confirmation of specific exfiltrated content. The incident caused temporary operational disruptions requiring manual workarounds and delivery delays, though core business systems and customer/supplier data remained unaffected. The company engaged cybersecurity consultants, notified regulatory authorities, and implemented enhanced protections including restricted server access and employee training. Continuous dark web monitoring has not detected leaked information, though potential risks to current and former berry farm workers hired since 2013 remain under assessment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 21, 2022, Costa Group, an Australian fruit and vegetable supplier, experienced a malicious and sophisticated phishing attack targeting its IT systems. The company initiated an intensive recovery process and detailed review with external IT security consultants immediately following the detection of the incident. Investigations revealed unauthorized access was confined to a single file server at Costa’s Corindi, New South Wales site, which stored data related to the berry category. Approximately 10% of the data on this server was accessed by the attackers, though the specific contents of the compromised data remained unclear due to the hackers encrypting their downloads. The incident caused operational disruptions, forcing Costa to implement manual workarounds at certain sites and delaying some deliveries. These impacts subsided as the company restored the majority of its network and systems, with no reported loss of data or material effect on operations or earnings.
Costa determined the accessed server contained both non-personal information and sensitive employee data, posing a risk that personal details of workers on Australian berry farms might have been exposed. Potentially compromised information included passport details, birth certificates, travel documents, Australian Citizenship Certificates, bank details, superannuation details, and Tax File Numbers for employees directly hired by Costa’s berry category since 2013 or provided by labor-hire organizations since 2019. Costa notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner about the breach, though the timeline of discovery relative to mandatory reporting requirements was not specified. The company implemented protective measures to prevent further attacks, including restricting server traffic, enhancing endpoint security, and scheduling additional employee training on phishing and social engineering. Costa conducted continuous dark web monitoring to detect potential leaks of the accessed data but found no evidence of publication. A dedicated contact line and email address were established for affected individuals, and interim CEO Harry Debney emphasized the attack’s sophistication while confirming no core business applications, customer data, or supplier information were compromised.