Event Secretary Data Breach

Australian horse riding organisation Event Secretary saw the data of 10,000 users leaked online after saying "neigh" to paying threat actors a demanded ransom. The cyber criminals that had previously threatened to leak the data have indeed followed through with their threats.

Last month, the data of Event Secretary users was published in an online forum. Unfortunately, Event Secretary was the platform that several major Australian horse riding organisations used to book and enter into equestrian competitions, and this has exposed riders and other admin users to hackers.

The hackers claim to have obtained the names, phone numbers, email addresses, physical addresses, and what is described as "bank details" of 10,000 users of the Australian horse riding site. The "bank details" appear to be the branch and account number for the users.

It is unclear how long the hackers gave Event Secretary to pay the ransom, though it is known that the initial ransom was requested in September 2022. Nearly a full year later, the "10,000 records from Australia users Equestrian website" were published online after ransom demands had still not been met.

"In the last 12 months, we've seen three of the most significant corporate data breaches of Australian companies in Australia's history," says Lowy Institute Public Opinion and Foreign Policy Director Ryan Neelam. "That's directly affected citizens who have had their medical records splashed over the dark web, so it makes sense that people would be conscious of that."

Event Secretary was involved in the running of multiple events, including an international level event which is used for Olympic qualifications.

A spokesperson for Event Secretary claimed that "We followed all the procedures the government had in place. We certainly notified all the people concerned within 24 hours. The hackers' initial attempt to extort money was done by sending people an email that they had won a monthly equestrian prize."

"When there was no response, they attempted to blackmail Event Secretary that they would publish the data on the dark web. Event Secretary did not respond to this request. Since November last year there has been no correspondence with any illegal entity."

Rather than communicate with the hackers directly, Event Secretary instead lodged reports with several government agencies including the ACSC, Australian Signals Directorate, ID Care, OAIC, and the Register Office of Information Commissioner.

It's believed that two major organisations in Australia's equestrian industry are also caught up in the data breach. The Horse Riding Clubs Association of Victoria (HRCAV) and Equestrian Victoria both used Event Secretary to host several of their events.

Equestrian Victoria said 500 of their riders had their data leaked from the cyber attack. "Equestrian Victoria was made aware of a data breach from our Spring Horse Trials in September 2022," a spokesperson said. "The data breach happened via a third party entry platform and was not Equestrian Australia or Equestrian Victoria data or related to our membership."

"We were made aware of 500 riders' data being accessed. The affected riders were notified of the breach at the time. Equestrian Victoria takes the privacy of our members' data seriously and we are confident that all the necessary steps have been taken to protect our members."

Event Secretary is just the latest Australasian firm to be revealed to have fallen victim to a ransomware attacks in recent months. Last month, Eftpos provider SmartPay suffered a data breach. Earlier that month, Fire and Emergency NZ (FENZ) was caught up in a hack on their IT supplier Lantech.

There was also the notorious hacking of financial firm Latitude, which saw the passport numbers, driver's licences and Medicare numbers stolen from millions of customers across Australia and New Zealand.