The company is staying silent on whether it has paid a ransom to attackers who used the Mespinoza/Pysa ransomware to take down its website and keep clients from using it for two weeks. In fact, the company is yet to list the name of the ransomware that took it down.
On its outages page, the firm says: "The investigation into the malware incident that caused the outage is ongoing. At present, there is no credible evidence that significant data was accessed or will be misused." This is misleading at best.
The next sentence reads: "Until we can totally rule this out, we are taking all cautionary measures. We’re working with cyber security experts, government agencies and law enforcement bodies to take appropriate action and to keep you updated."
The MyBudget outage began on 9 May, with the company initially saying it was due to unspecified malware. Later, the firm said it was unspecified ransomware. iTWire revealed it to be Mespinoza/Pysa on 29 May.
This ransomware, which only attacks Windows systems, is one of the growing number that first exfiltrate files from a victim's system and then encrypt them on-site. After that the ransomware generates a ransom note which becomes visible on a victim's system; it specifies the amount of the ransom and also the address — normally a cryptocurrency wallet — to which it should be sent.
The ransomware attackers listed MyBudget on its dark web site but did not list any documents stolen from the company; this is normally down when the attackers are negotiating with a victim.
On 3 June, MyBudget's name was no longer on the Mespinoza/Pysa site, indicating that a ransom had been paid. Had that not been the case, the ransomware attackers would have begun listing documents from the company.
iTWire has sought answers from MyBudget twice, but the company's PR representative is staying silent. The danger in paying a ransom is that attackers may provide a decryption key to the victim, but may still go ahead and release the stolen files. After all, with the money in hand, why would crooks need to adhere to any promise?
MyBudget's 13,000-odd clients come from mostly the less-wealthy strata of Australian society. They pay $1100 to join the service and anything from $40 upwards per week as administration fees. MyBudget is also staying silent on whether it will waive administration fees for the two-week period when the site was not accessible to clients.
When the first major breach was revealed in Australia after the breach law came into effect on 22 February 2018, the authorities' reaction — not fully disclosing details of the breach at human resources outfit PageUp People — was interpreted as being one that would set a precedent for others that follow.
Cyber security and law expert Helaine Leggat told iTWire at the time that the Department of Home Affairs and other Australian authorities may have decided to practice "security through obscurity".
The long-suffering clients of MyBudget will get a rude surprise one day if they find that their personal information has been used to scam them.
The breach law needs to be strengthened so that the rights of consumers, especially those from the poorer classes, are safeguarded. Right now, the law is basically an arse-covering exercise for both the government and companies to avoid lawsuits.