Share this article on:
A horse-riding organisation has had the data of 10,000 users leaked after it said “neigh” to paying threat actors a demanded ransom.
Event Secretary, an organisation used by major horse riding and equestrian clubs to host events, had its data published on an online forum after it refused to pay ransom.
The initial attack occurred back in September last year, with the threat group claiming to have stolen the data of 10,000 Australian users, including names, email addresses, home addresses, phone numbers and bank details, including account numbers and BSBs.
According to a spokesperson from Event Secretary, the hack was a result of an API breach, and the organisation’s systems were under control within 24 hours.
The hacking group followed up with extortion attempts, saying that it had stolen data and that if the group did not pay ransom, it would publish the data on the dark web.
The spokesperson said that in response to the attack, Event Secretary notified those affected and reported to the relevant government authorities, including the Australian Signals Directorate (ASD), Australian Cyber Security Centre (ACSC), Office of the Australian Information Commissioner (OAIC), and the Register Office of the Information Commissioner. On top of that, they engaged ID Care.
“We followed all the procedures the government had in place. We certainly notified all the people concerned within 24 hours,” the spokesperson said, speaking with News.com.
Almost a year later, the hackers have now said they have published the data on the dark web.
The hackers said: “10,000 records from Australia users Equestrian website – www.eventsecretary.com.au – include name, address, email, phone, bank account.”
Analysis of the released data shows that while 10,000 records were indeed released, the hackers’ upload contained duplicate entries.
In a prior attempt, the hacking group attempted to use phishing emails to convince people to give them money.
“The hackers’ initial attempt to extort money was done by sending people an email that they had won a monthly equestrian prize,” said Event Secretary.
“When there was no response, they attempted to blackmail Event Secretary that they would publish the data on the dark web.
“Event Secretary did not respond to this request. Since November last year, there has been no correspondence with any illegal entity.”
The company works with major organisations like the Horse Riding Club Association of Victoria and Equestrian Victoria, and it has been responsible for running an international-level event that was used for Olympic qualifications.
A total of 500 riders as part of Equestrian Victoria had their data leaked as a result of the attack. The organisation has said that its own systems remain secure, despite the attack.
“The data breach happened via a third-party entry platform and was not Equestrian Australia or Equestrian Victoria data or related to our membership,” it said.
“We were made aware of 500 riders’ data being accessed … The affected riders were notified of the breach at the time.
“Equestrian Victoria takes the privacy of our member’s data seriously, and we are confident that all the necessary steps have been taken to protect our members.”