iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The CHRG has begun sending letters to those impacted by a February ransomware attack.
Months after it fell victim to a ransomware attack, the Castle Hill RSL Group (CHRG) has begun sending letters to customers impacted by the incident and confirming that some data was compromised.
At the same time, CHRG has updated the advisory on its website with much the same text. The advisory, however, is not dated.
The letters were sent out around the middle of May and detail exactly what data has been impacted.
“Unfortunately, further forensic investigations have identified that limited personal information from current and historical databases belonging to the addressee, collected by CHRG in compliance with its legal requirements as a registered club, may have been subject to unauthorised access and disclosure,” the letter and website advisory both said.
“CHRG is taking all reasonable steps to limit the impact of, and meet its obligations to, the incident. To this end, we wish to inform current and past members of the information that may have been involved, and the steps that should be taken in response.”
The personal data involved includes full names, dates of birth, and contact information such as email, postal address, and phone numbers.
“We are disappointed that this information is involved,” the advisory said. “However, the risk of harm is limited, as this information is generally considered to have low sensitivity. In addition, based on our investigations, we believe that the data stolen from our systems is not publicly available.”
CHRG’s assertion of the availability of the data appears to be correct. A link on the 8Base leak site leads to an online file storage site, but the link leads to an error saying, “This folder was not found.”
When asked about the letter campaign, a CHRG spokesperson supplied the following statement.
“CHRG sent out notifications to affected individuals as soon as practicable in compliance with the Privacy Act. This required us to complete our investigations into the incident to identify the impacted data, the personal information it contained and affected individuals to be notified. This was a complex, time-consuming process that was undertaken as expeditiously," a CHRG spokesperson told Cyber Daily.
"We notified the ACSC of the Incident. We also notified and cooperated with the OAIC in compliance with the Privacy Act. CHRG is fully committed to minimising the impact of this incident, and meeting our obligations, to our members and visitors.”
8Base posted the initial details of the hack on 13 March 2024, with CHRG confirming at the time that it had detected the incident on 17 February.
At the time, CHRG said it was confident that membership data was not impacted.
“While our investigations are ongoing, we wanted to emphasise that our membership database, which is the central source of membership data, has not been impacted,” a CHRG spokesperson said.
The Castle Hill RSL Group includes several clubs in the area, including Castle Hill RSL, Club Parramatta, Castle Hill Fitness & Aquatic Centre, Lynwood Country Club, and Lynwood Golf Club. All of these clubs collect data to complement their services and benefits.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
