Cyber Incident Victim: Symantec
Date:
Feb 2019
Location:
Australia
Summary
A cybersecurity firm experienced a breach at an isolated Australian demonstration lab used for showcasing security solutions, where a hacker accessed demonstration accounts containing dummy emails, passwords, and a test list of prominent Australian entities including government agencies, banks, and universities. The company emphasized the lab was disconnected from its corporate network and contained no sensitive personal or operational data, though some listed entities confirmed using other services from the firm while others disputed their inclusion as clients. While the incident did not trigger mandatory breach notifications under privacy laws due to the absence of sensitive information, several affected organizations sought clarification from the firm regarding their inclusion in the test data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2019, a hacker breached a demonstration lab operated by Symantec in Australia, accessing systems used to showcase the company's CloudSOC security solutions. The isolated lab environment, intentionally disconnected from Symantec's corporate network, contained dummy emails, demonstration passwords, and test files simulating client data. Among the extracted materials was an outdated list of prominent Australian entities including federal agencies like the Australian Federal Police, major banks, insurers, universities, retailers, and multiple government departments at both federal and New South Wales state levels. Symantec characterized the incident as minor upon discovery, emphasizing that no production systems, corporate email accounts, or customer data repositories were compromised. The company asserted the compromised information consisted exclusively of non-sensitive demonstration artifacts created for training purposes, with no actual client data or personally identifiable information present in the test environment.
The breach prompted scrutiny from listed organizations, several of whom contacted Symantec for clarification despite the company's position that the entity list reflected potential demonstration scenarios rather than confirmed customers. Multiple federal departments—including Infrastructure, Industry, Human Services, and Finance—publicly confirmed they neither used CloudSOC services nor stored data with Symantec. Conversely, the Department of Social Services acknowledged using Symantec products including CloudSOC, though clarified the service wasn't employed for storing customer or sensitive information. Other agencies like Agriculture, Education, Employment, and Communications confirmed using different Symantec cybersecurity products unrelated to cloud services. Symantec maintained the incident didn't trigger mandatory breach notification obligations under Australian privacy law, citing the absence of exposed personal information that could cause serious harm. The company undertook unspecified remediation efforts while reiterating that the demo lab's purpose and contents fundamentally differed from operational systems handling client data.