Skip to main content

Case study 1 – Phishing attack

Phishing attack on Marathon Health

This is a real event that happened in our organisation. Staff name has been changed.

Simon, a Marathon Health employee, received an email to his work inbox late one night. He opened the email on his work phone and, when prompted, provided his username and password – Simon noticed no obvious red flags.

What happened next triggered a series of privacy breaches across the organisation and externally. Simon had fallen victim to a phishing attack – the breach occurred at 2.08am, but it wasn't until 7.15am that the IT Team were notified.

IT promptly deactivated Simon’s account and an investigation was launched.

The impact

As a result of this breach, it is estimated that up to 100 staff and contractors’ employment information was compromised – including names and contact information.

Office365 logs provided for the investigation were comprehensive and led to the discovery of the exact time of the breach, originating IP addresses of the attacker and methods they used to gain access.

It took the equivalent of three full-time staff (across IT, CGU and Marcomms) over three weeks to investigate and fix the issue – and that doesn’t include the financial costs of hiring a third party to undertake the forensic investigation. 

The attack had to be registered with the Australian Government’s Office of the Australian Information Commissioner, and we were required to notify hundreds of people directly, advising them to take reasonable steps immediately to protect their identity. We were also required to advertise the attack through a statement on our website.

While the investigation was ongoing, Simon’s login details were disabled and he was provided with a temporary account with basic access. This severely affected his ability to work effectively as he was unable to access documents that had been emailed to him. If Simon had opened that email on his work laptop, his laptop would have also been removed to undergo forensic analysis and remediation.

The resolution

In response to the attack, IT implemented new security controls to minimise a recurrence of the same or similar event. To reduce the risk, technical enhancements such as Multi-Factor Authentication (MFA) and email filtering were implemented.

Steps to reduce this happening in the future have also been taken – the affected team attended training sessions and were encouraged to save documents rather than storing them in their email (a standard all staff should follow!).

However, the most effective measure of not falling victim to these attacks is being aware of what phishing attacks are, knowing how to spot them, and taking the appropriate steps to ensure the email you are interacting with is legitimate.

Be a Marathon Health Cyber Smartie – do your part, #BeCyberSmart

Go to top of page