A flurry of ransomware attacks that hit the owner of Holey Moley, a WA aged care facility and a trucking business should serve as a warning that companies of all sizes need to be vigilant, says a cyber defence firm.
Funlab — which owns popular mini golf chain Holey Moley, Strike Bowling and arcade bar B. Lucky & Sons, with several in the metro area — was targeted by a cyber attack on September 20 that caused two days of IT system issues.
A spokesman for the business confirmed operations had returned to normal and that “only a small number of current and former employees — in the low double digits — have had limited information accessed.”
Know the news with the 7NEWS app: Download today
“Detailed work has been completed, and while continuing with the assistance of our external experts, Funlab does not believe guest data has been accessed,” he said.
“Some of that information is redundant given the expiry dates of the data. Funlab has reached out to any employee, past or present, that it considers may have had any data accessed and is providing the appropriate assistance.”
Just days before the Funlab incident, TPG Aged Care in Kingsley was targeted by a hacker who managed to gain unauthorised access to servers and nab about 65GB worth of data.
A company spokeswoman said its IT security systems were restored, but the group was still working to notify anyone impacted by the breach.
“TPG Aged Care has reported the incident to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner and is working with the independent forensic IT and other specialist advisers to understand what information was accessed and to ensure that our systems are protected,” a spokeswoman said.
Welshpool trucking business Road Distribution Services was also caught up in a similar attack.
The attacks on smaller, local businesses are at odds with the usual targets of bigger companies in Australia — such as Medibank, Optus, Latitude, and ports operator DP World — which are usually the focus of ransomware incidents.
Sushant Arora, regional vice-president for London-based cyber security firm Darktrace, said the attacks were “sobering reminders” about the threats to businesses.
“Every organisation needs to invest in board-level cybersecurity education and training, implementing AI-powered cyber defence systems, regularly assessing and addressing cybersecurity risks across the entire supply chain, and fostering a culture of cybersecurity awareness throughout the organisation,” he said.
“With multiple companies falling victim in such a short span of time, it is clear that cyber resilience is no longer just an IT issue – it’s a fundamental business imperative that demands immediate board-level attention.”
Following a string of high-profile attacks in recent years, questions have been raised about the extent of a company and board’s responsibility to ensure the safe storage of sensitive customer data.
The Australian Information Commissioner this year sued Medibank, alleging the insurance giant “seriously interfered” with the privacy of 9.7 million people by failing to protect their data during a major cyber attack in October 2022