Cyber Incident Victim: Aristocrat

On or around June 1, 2023, Aristocrat Leisure Limited experienced a cyber incident. The company confirmed the event in a public statement issued on August 4, 2023. The intrusion was attributed to a criminal hacker who exploited a newly identified vulnerability, described as a zero-day, within third-party file-sharing software utilized by Aristocrat. The specific software named was MOVEit. This exploitation provided the attacker with unauthorized access to a company server.

The primary action undertaken by the threat actor was the exfiltration of data from the compromised Aristocrat server. The extracted information included personal information belonging to Aristocrat employees. The stolen data set also contained other company data, though the specific nature of this additional information was not detailed in the public disclosure. Subsequent to the exfiltration, Aristocrat became aware of reports indicating that the criminals responsible for the attack had published extracts of the stolen data online.

Upon discovery of the incident, Aristocrat initiated a comprehensive response. The immediate steps taken involved containing the security breach to prevent further unauthorized access or data loss. The specific vulnerability within the MOVEit software that was exploited by the attacker was remedied. The company also engaged with relevant law enforcement agencies to report the criminal activity. Notifications were made to required gaming regulatory authorities and other pertinent regulatory bodies as necessitated by the circumstances of the data breach.

Aristocrat enlisted the support of independent cybersecurity experts to assist in the investigation and mitigation efforts. The work with these experts focused on conducting a thorough forensic analysis to determine the precise scope of the incident and to identify exactly what data was exfiltrated during the attack. This analysis was critical for understanding the full impact of the breach and for fulfilling the company's legal and regulatory obligations concerning data privacy and breach notification.

A significant component of the company's response was its communication and support for affected individuals. Aristocrat advised all of its employees globally about the incident, acknowledging that their personal information was part of the data set stolen from the server. As a protective measure for its staff, the company offered complimentary credit monitoring and identity theft protection services to help mitigate the potential risks arising from the exposure of their personal data.

Internally, Aristocrat conducted a risk assessment to evaluate any potential impact to its business operations arising from the cyber incident. Based on the information available as of August 4, 2023, the company concluded that it expected a low business impact from the event. This assessment was contingent upon the execution of an appropriate risk management and mitigation plan, which the company committed to implementing. Aristocrat stated its intention to continue managing the incident proactively and comprehensively, with the stated aim of acting in the best interests of its people, business, and other stakeholders.

The incident did not reportedly cause a significant disruption to the company's core business functions. Aristocrat, an ASX20 listed company headquartered in Sydney, Australia, operates globally with more than 7,500 employees across over 20 locations. Its business units include Aristocrat Gaming, Pixel United, and Anaxi. The company's statement indicated that the operational impact was expected to be low following the containment and remediation actions. The primary consequences of the incident were the compromise of employee personal data, the publication of some stolen data by the attackers, and the requisite internal and external response efforts undertaken by the company to address the breach and its fallout.