Exclusive: Compass Group Australia Data Breach. Medusa, “They came to our tor chat, begged long time, but couldn’t pay our amount”

Exclusive: Compass Group Australia Data Breach. Medusa, "They came to our tor chat, begged long time, but couldn't pay our amount" 1

Update 9.27.2024

We read, several hours after the publication of our article, a third statement from Compass Group Australia regarding the cyberattack they suffered in early September, which, according to the ransomware group Medusa, led to a loss of approximately 800GB of data, some of which was sensitive, exfiltrated from their servers by an affiliate of the cybercriminal group.

In this statement, Compass reiterates what was already stated in their two previous communications.

[…] Since we became aware of the incident, we have worked continuously with forensic experts and specialist legal counsel to remove the threat, implement additional monitoring and surveillance, and verify what information was compromised.

Protecting our people and our clients is our highest priority. […]

[…] In anticipation that the accessed data may be illegally published online in the coming days or weeks, we are taking a number of legal steps to prevent this activity and limit its impact. This includes working with the Australian Federal Police to remove any material that is posted and taking court action to prevent any party from re-publishing that data. […]

Following analyses conducted by their forensic experts and specialized legal consultants regarding the quality of the exfiltrated data, Compass states that the number of employees or former employees of Compass Group Australia affected by the data theft appears to be relatively small.

[…] Our investigations into the nature and extent of the impacted data indicate that it primarily relates to a relatively small number of Compass Group Australia employees, including former employees.  We are in the process of formally notifying and supporting the individuals we have been able to identify so far.[…]

They encourage their employees and customers to be vigilant about possible misuse of their personal information by adopting, and listing, a series of precautionary measures.

 

SuspectFile.com will continue to monitor the situation and provide updates as new details emerge

 



 

Two ransomware attacks, with a double data exfiltration from servers totaling approximately 800GB, occurred just days apart. This is what Compass Group Australia (Compass), a company operating in the food service and distribution sector, headquartered in McMahons Point with over 13,000 employees, has experienced.

In early September, the first breach of the IT systems was carried out by the ransomware group Medusa. During the initial attack, an affiliate of the group had already managed to exfiltrate most of the total data. While the first attack resulted in a complete encryption of the data, the second attack led to only partial data encryption.

On September 17, the group posted the first of two announcements on its Tor blog, claiming that the Australian company had been hit by a ransomware attack, resulting in the loss of 785.5 GB of data. As evidence, they also published 36 images linked to Compass’ administrative documents, confidential corporate emails, wage declarations, as well as driver’s licenses and passports belonging to individuals from various countries, including Italy, Sri Lanka, New Zealand, France, Colombia, Malaysia, and more.

A second announcement was published by Medusa the following day, referencing a second attack on the servers carried out by its affiliate. In this new announcement, the group emphasized the poor competence and professionalism of the Australian company’s IT department. To prove the second breach of the network, they posted two screenshots of the “Directory Users and Computers”.

Our affiliate entered this poor network this morning and messed the computers again! Company kiddy network administrators installed Crowdstrike Falcon EDR everywhere and thought they removed all our connections. Affiliate took the screenshots of DC. Company doesn’t care the customer’s privacy and also their network security too. One of the poorest company with poor network admins in Australia.

Exclusive: Compass Group Australia Data Breach. Medusa, "They came to our tor chat, begged long time, but couldn't pay our amount" 2

Screenshot and redaction by SuspectFile.com

Exclusive: Compass Group Australia Data Breach. Medusa, "They came to our tor chat, begged long time, but couldn't pay our amount" 3

Screenshot and redaction by SuspectFile.com

Undoubtedly, a severe blow to Compass’ credibility, especially considering that on September 18, the company had published a statement on its website claiming to be conducting a ‘safe and secure’ restoration of its systems and that most of them had already been brought back online.

[…] Compass Group is taking a methodical approach to the restoration of systems, to ensure that we can confidently restore systems in a safe and secure way. Our priority is to ensure the integrity of our network and minimise the risk of future threats. The majority of systems have now been brought back online.[…]

In the second statement published on its website on September 20, Compass confirmed that it had suffered another attack on its IT systems.

[…] Yesterday our security measures detected unauthorised activity on a server recently brought back online. In line with our security protocols, we disabled that system and contained the threat.[…]

In recent days, SuspectFile.com reached out to both Compass and the ransomware group with a series of questions. Through an email, the Australian company informed us that ‘someone’ would get in touch with us in the following days, but as of today, we have not received any further emails with answers to our questions.

Exclusive: Compass Group Australia Data Breach. Medusa, "They came to our tor chat, begged long time, but couldn't pay our amount" 4

Screenshot and redaction by SuspectFile.com

A different story for the ransomware group Medusa, which, after being contacted through their Tox account, promptly responded to our questions, which we present below.

SuspectFile.com: So your affiliate accessed Compass Group systems twice. Were the 785GB of data exfiltrated all during the first time?

Medusa Team: Most of data is already uploaded at first time. We copied some more data second time.

SuspectFile.com: Were the data encrypted by your affiliate both times?

Medusa Team: Yes, but second time : not locked all.

SuspectFile.com: Were there any negotiations with Compass Group? If so, through chat, email, or other means?

Medusa Team: They came to our tor chat, begged long time, but couldn’t pay our amount.

SuspectFile.com: In your second announcement on your blog, you claim that despite the network administrator installing Crowdstrike Falcon EDR, it was unable to protect the systems. You described the network admins as “One of the poorest companies with poor network admins in Australia.” Can you explain in detail what mistakes were made by Compass Group’s IT department?

Medusa Team: After the first lock, they couldn’t remove all our payloads. most companies don’t do such that mistake.

SuspectFile.com: At this point, do you believe their network is still vulnerable to external attacks?

Medusa Team: Not sure but maybe.

Medusa claims that after the first attack on Compass’ servers, the company’s network administrators were unable to adequately protect their systems, despite having installed Crowdstrike Falcon EDR. As we previously reported, in its first statement, the company wrote that it was restoring its systems using a “methodical approach” to ensure a safe and secure recovery, with most of the network already brought back online.

In recent days, we have had the opportunity to analyze additional data exfiltrated by Medusa’s affiliate, and we can confirm that, beyond the documents published by the group, there are other administrative documents classified by Compass as “CONFIDENTIAL” and “HIGHLY CONFIDENTIAL.”

These documents, which cover the period from July to September 2023, contain signed testimonies (Records of Personal Statements) provided by some employees. These documents could have been used by the company to initiate disciplinary actions against other employees deemed guilty of reprehensible behavior, with some cases being so offensive that they could have led to dismissals. Specifically, the documents contain:

  • Employee’s full name
  • Employee ID number
  • Position
  • Employee’s signature
  • Supervisor/Manager’s full name
  • Workplace location

The loss of such documents is already very serious. However, what makes the situation even more concerning is the possibility that this documentation could soon be made public, as Medusa had set the deadline for yesterday, September 25. The ransom demanded by the cybercriminals for the deletion of the data was $2,000,000.

Note: We had to heavily redact the documents shown below because, through certain phrases or details contained within, it would have been possible to identify some of the individuals involved in the disciplinary proceedings against a Compass employee.

 

Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com
Screenshot and redaction by SuspectFile.com

Other sensitive documents exfiltrated by Medusa concern a Compass employee with a Spanish passport. All sensitive data was readable and showed no redaction:

  • Passport (expiration: October 2022)
  • Address
  • Personal email
  • Employment contract
  • Worker’s Injury Claim
  • Invoices related to the claim (Physiotherapy)
  • Medical certificate with diagnosis
  • Email correspondence between the employee and her Advisor – Claims Compass Group
  • Criminal History Check Report (Organisation: National Crime Check)

Exclusive: Compass Group Australia Data Breach. Medusa, "They came to our tor chat, begged long time, but couldn't pay our amount" 5

Screenshot and redaction by SuspectFile.com

Exclusive: Compass Group Australia Data Breach. Medusa, "They came to our tor chat, begged long time, but couldn't pay our amount" 6

Screenshot and redaction by SuspectFile.com

Exclusive: Compass Group Australia Data Breach. Medusa, "They came to our tor chat, begged long time, but couldn't pay our amount" 7

Screenshot and redaction by SuspectFile.com

As always, in the case of data theft, negligence must be attributed to the entity responsible for protecting not only its own documents but, more importantly, the data entrusted to it by its employees. In this case, not only was protection lacking, but there were two intrusions into the IT systems within a few days of each other.

In this specific case, the IT department’s carelessness and inadequacy at Compass allowed cybercriminals to exfiltrate and encrypt further sensitive data on their servers. As we have emphasized multiple times, IT security, the preparedness of such a strategic department, and the training of employees on basic cybersecurity principles—whether in a private or public organization—should not be optional but a priority. Investing money only after being hit by cyberattacks is of little value and certainly won’t prevent potential future identity thefts, phishing, or smishing campaigns.

Last night, we sent a second email to the National Manager – Communications at Compass Group Australia, informing them that today we would be publishing the article on this case. As of now, we have not received a response.

SuspectFile.com will continue to monitor the situation and provide updates as new details emerge