Compass Group Australia Cyber Incident

Friday 27 September

Compass Group Australia has been investigating a cyber incident since early September, which resulted in an unauthorised third party accessing some data from our systems.

Since we became aware of the incident, we have worked continuously with forensic experts and specialist legal counsel to remove the threat, implement additional monitoring and surveillance, and verify what information was compromised. 

Protecting our people and our clients is our highest priority.

In anticipation that the accessed data may be illegally published online in the coming days or weeks, we are taking a number of legal steps to prevent this activity and limit its impact. This includes working with the Australian Federal Police to remove any material that is posted and taking court action to prevent any party from re-publishing that data.  

Our investigations into the nature and extent of the impacted data indicate that it primarily relates to a relatively small number of Compass Group Australia employees, including former employees.  We are in the process of formally notifying and supporting the individuals we have been able to identify so far.

We are also communicating with our clients. Compass Group Australia generally holds minimal client data, but we will communicate with our clients directly as soon as possible if we identify any of their sensitive data to be at risk.

We sincerely apologise for any concerns this incident has caused and encourage everyone to remain vigilant to any misuse of their personal information by taking the following general precautionary steps:

  • Remain alert to any increased scam activity, especially through email, text messages or telephone calls, particularly where the sender or caller purports to be from Compass Group.
  • If you receive any suspicious emails, text messages or telephone calls, do not provide your online account passwords, or any personal or financial information.
  • Do not respond to, open or click on links in emails/text messages if you are unsure about the sender.
  • Visit the Australian Cyber Security Centre’s webpage at https://www.cyber.gov.au/protect-yourself/
  • Where available, use two-step authentication – such as an authentication application – for personal email accounts and other online accounts.
  • Check your credit report (to alert you to any attempts to open a credit account in your name).
  • Stay informed of the latest threats by visiting https://www.cyber.gov.au/threats and the latest scams by visiting https://www.scamwatch.gov.au/.
  • Visit IDCARE’s Learning Centre and the OAIC website for further information and resources on protecting your personal information.

 

Friday 20 September

Compass Group Australia has been investigating a cyber incident since early September.

The investigation is ongoing, and we are continuing to work closely with leading global cybersecurity experts, specialist legal counsel and regulatory authorities.

Yesterday our security measures detected unauthorised activity on a server recently brought back online. In line with our security protocols, we disabled that system and contained the threat.  

Our priority is to ensure the ongoing security and stability of our systems and to provide support to those individuals whose high-risk information has been impacted. 

Importantly, we have progressed the forensic analysis of the data that we know has been impacted and have begun notifying people directly in instances where high-risk data has been accessed.  

We sincerely apologise for any impact on our employees, clients or suppliers. 

We have put in place a range of support measures for those who have been affected, including access to external professional support and advice on the precautionary measures people can take to safeguard their personal information. 

We will continue to update our employees, clients and suppliers as more details become available.

Wednesday 18 September

In early September 2024, Compass Group Australia detected unauthorised activity in part of our IT environment.

We immediately activated our incident response plan. Third-party forensic experts were engaged, and the affected systems were proactively disabled.

While we acted early to contain the incident, our investigations found that some data was taken from our systems by an unauthorised third party.

Compass Group Australia takes cybersecurity and data protection very seriously, and every effort is being made to understand the nature and scope of the affected data.  

We have communicated with clients, suppliers and employees, and apologise for any concern this incident has caused. We will continue to provide direct updates.

We have notified the relevant authorities, including the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, who are providing support and assistance.    

Compass Group is taking a methodical approach to the restoration of systems, to ensure that we can confidently restore systems in a safe and secure way. Our priority is to ensure the integrity of our network and minimise the risk of future threats. The majority of systems have now been brought back online.

While the extent of the incident is still under investigation, we encourage employees, customers and suppliers to be vigilant across their digital accounts, including looking out for any unusual activities.  

We will continue to post updates on our website as they become available. 

FAQs

After we became aware of the issue in early September 2024, we immediately launched our incident response plan and proactively disabled some systems as a precaution and to remove any ongoing threat.

While there have been minimal operational impacts, in some instances we are using standard manual processes to continue to provide services during this time.  We apologise for any inconvenience caused while our systems remain offline.

We are engaging with our clients, suppliers and employees regularly, and we will advise when we are ready to restore all our impacted systems in a safe and secure way. The majority of systems have now been brought back online.

Our focus is on ensuring a secure and stable environment for our clients, suppliers and employees.

We are working closely with third-party forensic experts to investigate this incident and understand the nature and scope of the affected data.

While we are undertaking this investigation as a priority, this may take some time to complete. We are continuing to update clients and will communicate directly with individuals to provide further information, should it be identified that their high-risk information has been affected. We have notified the relevant regulatory authorities, including the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, who are providing active support and assistance.     

We will provide relevant updates as the investigation unfolds. 

A small number of Compass Group systems are managed across Australia and NZ.

Our third-party forensic team is working hard to understand exactly what information has been compromised. Based on investigations to date, there is no evidence to suggest that data held by New Zealand systems has been impacted.

As a precaution, we have notified the National Cyber Security Centre and engaged with the Office of the Privacy Commissioner in New Zealand.  We continue to work with these agencies as required. We will provide relevant updates as the investigation unfolds.

We have been engaging with our clients, suppliers and employees regularly on operational issues.

If our investigations identify that high-risk information has been impacted by this incident, we will communicate directly with individuals to provide further information and offer guidance and advice on next steps.

In the meantime, we have provided general advice to our people about how to proactively manage their data privacy.

Yes. We have reported the incident to the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, who are providing assistance and support. We have also notified law enforcement.

We have also notified the National Cyber Security Centre and engaged the Office of the Privacy Commissioner in New Zealand, as a precaution. We continue to work with these agencies as required. We will provide relevant updates as the investigation unfolds.

Here are some steps that everyone can take to protect themselves against identity theft, scams or fraud:

  • Be vigilant for any unusual or suspicious online activity.
  • Avoid clicking on any links or opening any suspicious emails or attachments.
  • Be vigilant for any unrecognised or unsolicited telephone calls, emails or messages asking you to provide personal information.
  • Always verify the sender of any communications received to make sure they’re legitimate.
  • Update your passwords regularly, using ‘strong’ passwords and not re-using passwords for multiple accounts.
  • Enable multi-factor authentication for your online accounts where available.
  • Review guidance for protecting yourself from scams: www.scamwatch.gov.au
  • Request a free credit report from a credit reporting body, (e.g. Equifax, illion and Experian in Australia) and check for any applications or requests that you did not make.

If our investigations identify that high-risk information has been impacted by this incident, we will communicate directly with those individuals to provide further information and offer guidance and advice on next steps.

Any further enquiries or concerns can be directed to [email protected].

Share

You might also like