Cyber Incident Victim: OracleCMS
Date:
Apr 2024
Location:
Australia
Summary
A ransomware attack by the LockBit group compromised an Australian call center operator, leading to the leak of over 60 gigabytes of sensitive client data on the dark web. The breach exposed personal and operational information from numerous entities, including local councils, law firms, aged-care services, and a religious organization, encompassing details such as client phone numbers, email addresses, parking infrastructure records, subscriber lists with names and addresses, and non-identifiable but sensitive reports of health incidents and domestic violence. Internal documents like contracts and confidentiality agreements were also published. The company, which provides contact center services across multiple Australian cities, has not publicly commented, though one affected client confirmed collaboration to investigate the incident and assess potential enhancements to data protection measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 4, 2024, the LockBit ransomware group executed an attack against OracleCMS, an Australian call center operator with facilities in Adelaide, Perth, Brisbane, Melbourne, and Sydney. LockBit publicly claimed responsibility for the breach on its dark web leak site on April 12, 2024, accompanied by sample documents including billing records and financial details. The group set a ransom deadline of April 16, threatening full publication of stolen data if demands were unmet. Following the expiration of this deadline, LockBit released over 60 gigabytes of compressed data containing OracleCMS's internal documents and client information. The archive contained a dedicated "Clients" folder with organizational data spanning more than 50 entities, including over a dozen Australian local councils such as Campbelltown Council, Tweed Shire Council, Dandenong City Council, and the City of Sydney. Additional municipal clients included the cities of Kwinana, Moreton Bay, Playford, Busselton, and Marion. Non-government clients exposed in the leak comprised law firms, a real estate agency, and the Queensland branch of the Philadelphia Church of God.
The compromised data included operational details such as client on-call phone numbers, work emails, parking meter locations with meter IDs for the City of Sydney, and a subscription list of 2,000+ individuals with names and addresses tied to the Philadelphia Church of God’s Key of David program. Sensitive non-personally identifiable information regarding aged-care service calls—documenting reports of illnesses and domestic violence incidents—was also exposed. OracleCMS’s internal contracts, confidentiality agreements, and financial documents appeared in the leak. While OracleCMS declined to comment on the incident, the City of Sydney confirmed its contractual relationship with the call center operator for after-hours support and clarified that no city systems were breached. The municipality stated it was collaborating with OracleCMS to investigate the incident and assess potential enhancements to information protection measures. LockBit did not disclose its ransom demands or the initial attack vector, and no containment or remediation actions by OracleCMS were publicly verified at the time of reporting.