Spirit Super

Australian pension provider Spirit Super suffered a data breach incident after an employee’s email account was accessed.

An unauthorized party gained access to a mailbox containing personal data that included names and other sensitive information of approximately 50,000 individuals.

The personal data included names, addresses, ages (as at 2019 and 2020), email addresses, telephone numbers, member account numbers, and member balances (as at 2019 and 2020).

The breach was a result of a widespread phishing campaign which the team detected and restored the compromised account and acted quickly to contain and limit the impact of the breach

Source: https://portswigger.net/daily-swig/data-breach-at-australian-pension-provider-spirit-super-impacts-50k-victims-following-phishing-attack

TPRM report: https://scoringcyber.rankiteo.com/company/spirit-super

"id": "spi34211822",
"linkid": "spirit-super",
"type": "Breach",
"date": "05/2022",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of a geographical region"

{'affected_entities': [{'customers_affected': 50000,
                        'industry': 'Financial Services',
                        'location': 'Australia',
                        'name': 'Spirit Super',
                        'type': 'Pension Provider'}],
 'attack_vector': 'Phishing',
 'data_breach': {'number_of_records_exposed': 50000,
                 'personally_identifiable_information': ['names',
                                                         'addresses',
                                                         'ages',
                                                         'email addresses',
                                                         'telephone numbers',
                                                         'member account '
                                                         'numbers',
                                                         'member balances'],
                 'type_of_data_compromised': ['personal data']},
 'description': 'Australian pension provider Spirit Super suffered a data '
                'breach incident after an employee’s email account was '
                'accessed. An unauthorized party gained access to a mailbox '
                'containing personal data that included names and other '
                'sensitive information of approximately 50,000 individuals. '
                'The personal data included names, addresses, ages (as at 2019 '
                'and 2020), email addresses, telephone numbers, member account '
                'numbers, and member balances (as at 2019 and 2020). The '
                'breach was a result of a widespread phishing campaign which '
                'the team detected and restored the compromised account and '
                'acted quickly to contain and limit the impact of the breach.',
 'impact': {'data_compromised': ['names',
                                 'addresses',
                                 'ages',
                                 'email addresses',
                                 'telephone numbers',
                                 'member account numbers',
                                 'member balances']},
 'initial_access_broker': {'entry_point': 'Email account'},
 'post_incident_analysis': {'root_causes': 'Phishing campaign'},
 'response': {'containment_measures': 'Restored the compromised account and '
                                      'acted quickly to contain and limit the '
                                      'impact of the breach.'},
 'title': 'Spirit Super Data Breach Incident',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Email account compromise'}