Cyber Incident Victim: Spirit Super

On 19 May 2022, Spirit Super detected unauthorized access to a staff member’s email account, which was compromised through a phishing attack. The organization identified the security breach promptly and contained the affected account to prevent further unauthorized activity. An investigation followed to assess the scope of the incident, revealing that the compromised mailbox contained personal member data. The breach did not stem from a system vulnerability or technical failure but resulted directly from the phishing activity targeting the employee’s credentials. Spirit Super confirmed that unauthorized actors accessed information typically found in annual statements, including member names, addresses, email addresses, telephone numbers, account numbers, and balances as recorded in 2019 and 2020. The majority of exposed records did not contain highly sensitive identifiers such as full dates of birth, tax file numbers, driver’s license details, or bank account information.

A smaller subset of compromised data included identification documents such as passports and driver’s licenses, along with bank account details, tax file numbers, dates of birth, and statements for a limited number of individuals. Spirit Super prioritized direct notification and support for those affected by this more sensitive data exposure. The organization emphasized that the breach was isolated to the single email account and did not compromise broader IT systems or databases. No evidence suggested misuse of the exposed data beyond the initial unauthorized access. Spirit Super undertook steps to reinforce security protocols and prevent similar incidents, though specific technical or procedural changes were not disclosed publicly. Impacted members received guidance on monitoring their accounts for suspicious activity, though the organization did not report any downstream financial fraud or identity theft linked directly to the breach at the time of their public statement on 19 August 2022.