Cyber Incident Victim: FIT College
Date:
Mar 2015
Location:
Australia
Summary
An Australian educational institution training personal trainers experienced a cybersecurity breach where attackers compromised their systems and publicly listed available databases. The same threat actor responsible for a prior intrusion at another Australian training provider accessed over 5,000 student records and 6,000 payment records, though they claimed not to have downloaded the full datasets. Exposed information included names, email and postal addresses, account passwords, bank account details with branch codes, and credit card numbers with expiration dates and CVV security codes. The attackers asserted that inadequate security measures enabled broader access to sensitive records than was ultimately exploited.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In March 2015, FIT College, an Australian institution training personal trainers, experienced a data breach perpetrated by a hacker using the Twitter handle @ChrichirTheGod. The attacker, who previously compromised South West TAFE in Australia, publicly disclosed the breach by posting a listing of FIT College’s available databases on Pastebin on March 18, 2015. The hacker claimed to have accessed the college’s systems alongside another individual, @injekt_, though they stated they did not download the full datasets. According to their communications with DataBreaches.net, the attackers gained access to over 5,000 student records and more than 6,000 payment records. These records reportedly contained names, email and postal addresses, site passwords, bank account numbers with branch codes (BSBs), and credit card details including card numbers, expiration dates, and CVV codes. The hacker asserted that the breach’s scope could have been significantly larger, emphasizing that thousands of additional records remained accessible but were not exfiltrated.
The incident exposed highly sensitive financial and personal information, creating substantial risks for affected students and clients. Compromised credit card data with CVV codes and expiration dates enabled potential fraudulent transactions, while bank account details and BSBs increased risks of unauthorized financial transfers. Exposed site passwords could have facilitated further account compromises if reused across other platforms, and personal identifiers like names and addresses heightened risks of identity theft. The hacker explicitly criticized FIT College’s security posture, stating the institution “need[s] better security” and implying that weak defenses enabled the intrusion. No specific containment actions, detection methods, or institutional responses were detailed in the available source material. The breach highlighted vulnerabilities in the college’s data protection measures, particularly given the attacker’s ability to access multiple databases containing payment and student records without immediate detection or obstruction.