iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Newcomer Morpheus says it was behind an August 2024 compromise of an Australian pharmaceuticals and healthcare firm, posting employee passport scans to the dark web as proof.
In October of last year, Australian health and wellness firm DBG Health posted a notification of a cyber security incident on its website.
“On 25 August 2024, DBG (and its related companies, including Apotex) became aware that a malicious third party had obtained unauthorised access to a DBG storage server and had exfiltrated data from that server,” DBG Health said in its 29 October notification.
“The server contained clinical consent forms that were collected as part of in-pharmacy vaccination, pain clinic and bone density clinic services that Apotex provided to individuals between 2012 and 2015 (In-Pharmacy Clinics).”
DBG Health apologised for the incident at the time and noted that patient phone numbers and health information had been compromised during the incident. The company also said it had informed the Office of the Australian Information Commission on 16 September.
However, late last year, a newly emerged ransomware operation, calling itself Morpheus, claimed responsibility for the hack, sharing a small selection of allegedly stolen data as proof.
Morpheus specifically listed Arrotex Pharmaceuticals – one of DBG Health’s business units, created in 2019 via a merger between Apotex Australia and Arrow Pharmaceuticals – as the victim, saying that parties interested in learning more about the data should sign up to the site and contact the group’s admin directly.
The ransomware gang also said the scope of the breach was far wider than first reported.
“The extent of the cyber security incident is not completely revealed in the published article,” a Morpheus spokesperson said, referring to DBG Health’s October breach notification.
“The volume of extracted data, ready for sale or publication, is nearly 2.5 (terabytes).”
According to the hackers, the stolen data includes confidential documents, recruitment information, information about DBG’s partners, case reviews, sales and distributor data, business plans, and more.
The proof-of-hack data includes listings of Arrotex employees, including phone numbers and email addresses, two pharmaceutical documents from the Therapeutic Goods Administration, and a pair of passport scans – both valid – which appear to belong to prior or current employees of DBG Health.
Cyber Daily has reached out to DBG Health for comment on Morpheus’ claims but has yet to receive a response.
Arrotex Pharmaceuticals is just one of two victims currently listed in Morpheus’ leak site and looks to be the gang’s very first victim. Morpheus’ leak site is remarkably stark and gives little away about the group’s identity or nationality.
According to its website, DBG Health is “the largest by volume, and most diverse, health, wellness, and beauty company in Australia and now starting to expand overseas”, and its brands include Chemists’ Own, APOHEALTH, and 28GO. Its four business units are Arrotex Pharmaceuticals, VidaCorp Consumer Brands, AXE Health Services, and Independent Pharmacies Australia, which itself includes Alliance Pharmacy, Chemist Discount Centre, and Pharmacy Catalyst.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
