Cyber Incident Victim: Svitzer
Date:
May 2017
Location:
Australia
Summary
A global shipping company experienced a significant data breach where emails from three employee accounts were secretly auto-forwarded externally for nearly 11 months, compromising sensitive personal information of approximately 500 Australian staff members—nearly half its local workforce. The breach affected finance, payroll, and operations accounts, potentially exposing tax file numbers, superannuation details, and next-of-kin information. The company halted the theft after an employee reported suspicious email activity, discovering malicious forwarding rules that deleted traces of the exfiltration. Forensic investigators confirmed no internal involvement, and legal action was initiated to access the external email accounts involved. The incident was disclosed under Australia’s mandatory breach notification scheme following a 15-day assessment period.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Svitzer data breach began on May 27, 2017, when unauthorized email forwarding rules were secretly established on three employee accounts within the Australian operations of the global shipping company. These rules automatically forwarded emails from finance, payroll, and operations departments to two external email accounts without the knowledge of the account owners. The perpetrator implemented additional rules to delete forwarded emails from the sent folders, concealing the exfiltration. This activity continued undetected for nearly 11 months until March 1, 2018, when an employee alerted Svitzer's IT help desk about a suspicious email rejection notice originating from an external account. Subsequent investigation revealed the unauthorized forwarding mechanism, prompting immediate containment measures to disable the rules. Approximately 500 Australian employees – nearly half of Svitzer's 1,000-person domestic workforce – had sensitive personal information compromised, including tax file numbers, superannuation account details, and next-of-kin information. Forensic experts estimated between 50,000 to 60,000 emails were exfiltrated during the breach period.
Svitzer engaged forensic IT specialists to investigate the incident and served a court order on March 15, 2018, to compel the unidentified external email provider hosting the recipient accounts to grant access for the investigation. Company representatives ruled out internal involvement but did not publicly attribute the breach to specific threat actors. Management notified affected employees on the same day as regulatory disclosure, offering support services while continuing to assess the full scope of compromised data. The breach was reported to Australia's Office of the Australian Information Commissioner (OAIC) under the newly implemented Notifiable Data Breaches scheme, marking one of the first disclosures under this framework. The 15-day interval between discovery and formal notification drew commentary regarding compliance timelines, though it fell within the scheme's 30-day assessment window. Ongoing investigations focused on determining whether additional systems beyond the three email accounts were compromised and identifying the perpetrator through the court-ordered email provider access.