CyberBakery Chronicles (16 May 2025)

Your Weekly Cybersecurity Update (16 May 2025)

• Australian Human Rights Commission Data Breach

• Pearson Educational Giant Suffers Major Cyberattack Through Exposed GitLab Token

• Record Year for Data Breaches, According to OAIC Statistics

• Intel® Processor Indirect Branch Predictor Attack

• Celsius Founder Alex Mashinsky Sentenced to 12 Years in Prison for Cryptocurrency Fraud

Australian Human Rights Commission Data Breach

Australia’s Human Rights Commission (AHRC) has confirmed a data breach involving a third-party file transfer tool, again spotlighting the increasing risks of supply chain and vendor-managed services. This breach, disclosed on 14 May 2025, is particularly noteworthy not only because of the sensitivity of the information involved but also because it comes from an agency tasked with upholding the fundamental rights of Australians.

What Happened?

The AHRC revealed it was affected by a cybersecurity breach involving a third-party platform, GoAnywhere MFT, a managed file transfer solution made by Fortra. This platform is widely used for securely sharing and storing data. However, cybercriminals also exploited it earlier this year in a global ransomware campaign linked to the Cl0p ransomware gang, which targeted vulnerabilities in the GoAnywhere system.

The Commission confirmed that some of its data was affected by that breach. While investigations are ongoing, AHRC stated it worked closely with the Australian Cyber Security Centre (ACSC) and other authorities to assess the scope and potential impact.

What Kind of Data Was Involved?

According to the AHRC’s statement, no operational systems were directly breached, and no evidence of misuse of the data has emerged so far. However, some files stored or transferred using the GoAnywhere platform may have been accessed without authorisation. These could include documents related to the Commission’s human rights investigations or internal administrative matters.

Given the nature of the AHRC’s work—dealing with often highly sensitive personal, legal, and ethical information—any unauthorised access is significant, even if actual misuse hasn’t been confirmed.

How Is AHRC Responding?

The Commission has taken the following steps:

• Notified the Office of the Australian Information Commissioner (OAIC) in line with the requirements of the Notifiable Data Breaches (NDB) scheme.

• Engaged cybersecurity experts to support containment and assessment.

• Implemented additional security measures across its digital infrastructure.

• Proactively reached out to affected individuals where appropriate.

What Should Other Organisations Learn? 

• Third-party vendor assessments are no longer optional. Ensure all vendors—especially those handling sensitive data—undergo rigorous security vetting and contractual controls.

• Patch and vulnerability management are critical. Your data is at risk if your vendors are slow to respond to zero-days or known exploits.

• Have a breach response plan. The AHRC’s swift action, including public disclosure, engagement with ACSC, and transparency with the OAIC, reflects a mature incident response approach.

• Monitor file transfer tools (MFTs). They are often overlooked, but they are treasure troves for attackers. Regular reviews and audit logging should be standard.

While the Human Rights Commission’s data breach may not involve widespread data theft (based on current evidence), it does raise fundamental questions about how government bodies and private organisations manage their digital trust ecosystems.

Cybersecurity is no longer just about protecting your systems—it’s about managing a web of interconnected services, platforms, and people.

Trust must be continuously earned and verified in today's threat landscape, not assumed.

Pearson Educational Giant Suffers Major Cyberattack Through Exposed GitLab Token

Education publishing powerhouse Pearson has confirmed a significant cybersecurity breach that resulted in corporate data and customer information theft. The UK-based company, which provides academic publishing, digital learning tools, and standardised assessments to schools and universities in over 70 countries, acknowledged the incident in a statement.

"We recently discovered that an unauthorised actor gained access to a portion of our systems," a Pearson representative confirmed. "Once we identified the activity, we took steps to stop it and investigate what happened and what data was affected with forensics experts."

The security lapse had severe consequences. Over several months, attackers reportedly leveraged the initial access to obtain additional hard-coded credentials and authentication tokens for various cloud platforms, including AWS, Google Cloud, Snowflake databases, and Salesforce CRM systems. The cybercriminals allegedly exfiltrated terabytes of data from Pearson's internal network and cloud infrastructure using these stolen credentials.

The stolen information reportedly includes customer data, financial records, support tickets, and proprietary source code, potentially affecting millions of individuals. While Pearson has confirmed the breach and the data theft, the company characterised the stolen information as "largely legacy data" without specifics on exactly what was taken or how many customers were affected.

"We have taken steps to deploy additional safeguards onto our systems, including enhancing security monitoring and authentication," the company stated, adding that no employee information was included in the breach. Pearson declined to answer questions regarding possible ransom payments or whether affected customers would be notified.

Security experts note that this incident follows a pattern of attacks that are concerning in targeting exposed Git configuration files. Last year, the Internet Archive suffered a similar breach when attackers discovered an authentication token in an exposed Git configuration file. Cybersecurity professionals emphasise that organisations must secure .git/config files by preventing public access and avoiding the practice of embedding credentials in remote URLs.

The Pearson breach may be connected to an earlier disclosed investigation from January involving the company's subsidiary PDRI, though the company has not confirmed this connection publicly.

Record Year for Data Breaches, According to OAIC Statistics

In 2024, Australia experienced a significant surge in data breaches, with over 1,100 incidents reported to the Office of the Australian Information Commissioner (OAIC). This marks the highest annual total since the Notifiable Data Breaches (NDB) scheme’s inception in 2018. 

Key Statistics: 

• In 2024, 1,113 data breaches were reported, the highest annual number since the NDB scheme began.

• 595 data breaches were reported in the second half of 2024, up from 518 in the first half.

• Malicious or criminal attacks caused 69% of breaches in the second half of 2024.

• 66% of malicious breaches were classified as cybersecurity incidents.

• The most common causes of cyber incidents were phishing (30%), compromised or stolen credentials (27%), and ransomware (24%).

• Human error accounted for 30% of all data breaches. Health service providers reported the most breaches by sector (22%), followed by the finance sector (10%) and the Australian Government (17%).

• 62% of breaches affected fewer than 100 individuals.

• 40 breaches affected more than 5,000 individuals, with 5 incidents impacting over 1 million people.

• 66% of breaches were identified within 30 days of occurring.

• 78% of Australian Government breaches were notified more than 30 days after being identified, showing delays in public sector reporting.

• The OAIC accepted an enforceable undertaking from Oxfam Australia over a data breach dating back to January 2021.

  

  Image: OAIC Report

Top 5 Sectors Impacted:

The health sector reported the highest number of breaches, followed by finance and education, indicating that sectors handling sensitive personal information are prime targets for cyberattacks.

Conclusion:

In 2024, Australia witnessed an unprecedented surge in data breaches, revealing the escalating cyber threats that organisations are confronting. This alarming increase not only indicates the sophistication of attacks but also showcases significant advancements in how breaches are detected and reported. The situation underscores an urgent and vital need for organisations to implement robust cybersecurity measures and adopt proactive risk management strategies to protect sensitive information across all sectors. As cybercriminals continue to evolve, it is crucial for businesses to stay ahead of these threats and prioritise the security of their digital infrastructure.

Intel® Processor Indirect Branch Predictor Attack

A recently identified vulnerability affecting modern Intel CPUs, referred to as "Branch Privilege Injection" (BPI), poses significant security risks by allowing attackers to extract sensitive data from protected memory regions utilised by privileged software, including operating system kernels.

These protected memory regions are crucial as they often store highly confidential information, such as user passwords, encryption keys, and essential kernel data structures. Consequently, they represent high-value targets for malicious actors seeking to exploit system security.

The research team from ETH Zurich, comprised of experts Sandro Rüegge, Johannes Wikner, and Kaveh Razavi, has made a notable breakthrough by revealing this vulnerability. They found that, while existing mitigations for the Spectre v2 vulnerability have been largely effective for the past six years in protecting against certain attacks, their new discovery involving "Branch Predictor Race Conditions" presents a serious challenge. This newly identified exploit has the capability to circumvent these defences, thereby exposing sensitive data and potentially allowing attackers to compromise the integrity of the systems that rely on these CPUs.

As this vulnerability gains attention, it underscores the ongoing need for improved security measures and vigilance in protecting sensitive information within computing environments.

Read ETH Zurich Paper HERE

Celsius Founder Alex Mashinsky Sentenced to 12 Years in Prison for Cryptocurrency Fraud

Alex Mashinsky, the former CEO of Celsius Network, has been sentenced to 12 years in federal prison for orchestrating a massive fraud that misled investors and led to billions in losses.

At its peak, Celsius managed over $25 billion in assets, attracting users with promises of high returns on crypto deposits. However, the company’s risky investment strategies and lack of transparency led to its collapse in 2022, leaving customers unable to access their funds.  

U.S. District Judge John Koeltl, who presided over the case, emphasised the severity of Mashinsky’s actions and the need for accountability in the cryptocurrency industry. Mashinsky was also ordered to forfeit $48 million as part of his sentence.  

This case underscores the importance of regulatory oversight and transparency in the rapidly evolving crypto sector, highlighting the potential risks investors face in unregulated markets.