Space Bears Ransomware Gang Leaks Sensitive Data from Victorian Financial Firm 3P Corporation
In early April, the Russia-linked ransomware group Space Bears listed 3P Corporation, a Melbourne-based financial services firm, as a victim on its darknet leak site. The hackers claimed to have stolen a trove of sensitive data, including financial documents, employee records, and client information.
By 10 April, Space Bears published details of the alleged breach, setting a ransom deadline of 18 April. After the deadline passed, the group released a 213.3GB compressed archive on a public file-hosting site, which had been downloaded 196 times by the time of reporting. The leaked data includes:
- Hundreds of authority-to-deduct forms with full bank details and customer signatures
- Trust account statements and remittance advices on 3P letterhead
- Employee payslips, internal templates, and files on over 4,500 business clients, including tax returns and signed deeds
- A document containing over 2,700 tax file numbers
3P Corporation, a holding company founded in 2013 by TV personality Peter Ziggy, provides accounting, tax, financial planning, and legal services. A spokesperson confirmed the 7 April attack, stating that their systems detected the intrusion before data could be encrypted. However, the leaked files suggest otherwise. The company reported the incident to the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) and notified staff and potential clients.
Space Bears, a relatively new ransomware group that emerged in April 2024, has claimed 71 victims to date, including NSW charity Christian Community Aid in January 2025. The group’s tactics highlight the growing threat of ransomware attacks targeting financial and professional services firms.
Source: https://www.ifa.com.au/melbourne-based-financial-services-and-advice-firm-hit-with-cyber-attack/
3P Corporation Ltd cybersecurity rating report: https://www.rankiteo.com/company/3p-corporation-ltd
"id": "3P-1774341062",
"linkid": "3p-corporation-ltd",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 4,500 business clients',
'industry': 'Accounting, Tax, Financial Planning, '
'Legal Services',
'location': 'Melbourne, Victoria, Australia',
'name': '3P Corporation',
'type': 'Financial services firm'}],
'customer_advisories': 'Notified potential clients',
'data_breach': {'data_encryption': 'No (claimed by company, but leaked files '
'suggest otherwise)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Over 2,700 tax file numbers, '
'hundreds of authority-to-deduct '
'forms, files on over 4,500 '
'business clients',
'personally_identifiable_information': 'Yes (bank details, '
'customer signatures, '
'tax file numbers, '
'employee payslips)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Financial documents',
'Employee records',
'Client information',
'Tax file numbers',
'Authority-to-deduct forms',
'Trust account statements',
'Remittance advices',
'Employee payslips',
'Internal templates',
'Tax returns',
'Signed deeds']},
'date_detected': '2025-04-07',
'date_publicly_disclosed': '2025-04-10',
'description': 'In early April, the Russia-linked ransomware group Space '
'Bears listed 3P Corporation, a Melbourne-based financial '
'services firm, as a victim on its darknet leak site. The '
'hackers claimed to have stolen a trove of sensitive data, '
'including financial documents, employee records, and client '
'information. By 10 April, Space Bears published details of '
'the alleged breach, setting a ransom deadline of 18 April. '
'After the deadline passed, the group released a 213.3GB '
'compressed archive on a public file-hosting site, which had '
'been downloaded 196 times by the time of reporting.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': '213.3GB of sensitive data',
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain',
'ransomware': {'data_encryption': 'No (claimed by company, but leaked files '
'suggest otherwise)',
'data_exfiltration': 'Yes',
'ransom_demanded': 'Yes (amount not specified)',
'ransom_paid': 'No',
'ransomware_strain': 'Space Bears'},
'references': [{'source': 'Darknet leak site (Space Bears)'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to ACSC'},
'response': {'communication_strategy': 'Notified staff and potential clients',
'containment_measures': 'Systems detected intrusion before data '
'could be encrypted (claimed by company)',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes (Australian Signals '
'Directorate’s Australian Cyber '
'Security Centre - ACSC)'},
'threat_actor': 'Space Bears',
'title': 'Space Bears Ransomware Gang Leaks Sensitive Data from Victorian '
'Financial Firm 3P Corporation',
'type': 'Ransomware'}