Fruit grower warns bank tax data compromised in cyberattack

Avocado and berry producer Costa Group says there is no evidence that sensitive employee tax and passport data has been leaked or uploaded to the dark web despite its systems being hacked.

The ASX-listed horticulture company is the latest Australian company to fall victim to a cyberattack, warning on Friday of a phishing attack on its server which contains data for the company’s berry operations.

The company said there is a risk that the personal data of workers at its berry farms has been compromised. Credit:Shutterstock

Costa said the company could not say exactly what the hackers accessed in August because they encrypted their downloads, but there was a risk that the personal information of workers, hired directly by the company since 2013 or by labor rental companies since 2019, may have been compromised.

“Such sensitive information may include the following: passport details, bank details, pension details [and] tax file numbers,” the company said.

The company is monitoring the dark web to try to determine if any of this sensitive information has been released, but said at this stage no release of the data has been identified. It is possible that several thousand employee records were affected, but it is not known which records were accessed.

“Costa has taken steps to protect against any further malicious attacks, including limiting traffic to servers, increasing the level of endpoint protection, and scheduling additional employee training regarding phishing and social engineering practices. “, said the company.

Australian businesses have been rocked by data breaches over the past two months. The attack on telecoms company Optus has had the biggest impact, with the data of nearly 10 million Australians stolen and the company set to face a class action lawsuit led by Maurice Blackburn.

Last week, ASX-listed companies Telstra and NAB confirmed they were also bitten when a breach of a third-party rewards platform resulted in the names and email addresses of current and former employees.

This attack did not involve a direct attack on the companies’ systems, but occurred when a corporate rewards platform called Pegasus was compromised.

Comments are closed.