GS1 Australia Data Breach Incident: Frequently Asked Questions

1. What happened?

On Friday 6 April 2018, we became aware that an unknown party sent unauthorised malicious emails to approximately 500 separate organisations/recipients via email addresses obtained from a GS1 Australia’s staff member account. 

Our research has identified that the primary data breach occurred on 29 March 2018 at 2:50pm when the perpetrator used a ‘phishing’ process to gain account details of a GS1 staff member.

On Friday 6 April between 10:30 and 11:00am, the perpetrator accessed that GS1 Australia’s staff member’s email account settings to extract contact email addresses and change account settings to reduce the chance of discovery. Later that same day an unknown party, masquerading as the unsuspecting GS1 Australia staff member, sent the unauthorised malicious emails using the acquired email addresses.

2. What did GS1 Australia do when it discovered the issue?

Once GS1 Australia became aware of the problem, we immediately took steps to determine the nature and scope of the issue.

As required in our data breach policy, an incident team was instantly formed to ensure we contained the issue, established the root cause, took remediation where necessary, and communicated with all affected parties. 

We are working with leading data security firms to review our entire security framework and procedures. We have also notified the Australian Information Commissioner.

3. What information was affected by this issue?

While the perpetrator of the data breach had access to that GS1 Australia’s staff member’s log in, the only information extracted was email addresses from the staff member’s contact list.

It is important to highlight that these email addresses were only sourced from the GS1 Australia’s user’s mail account and not any internal GS1 Australia records management systems. 

The affected data did not include government-issued identifiers (such as Social Security numbers and driver's license numbers) because we do not collect that information. Bank account and credit card data was not affected because it is collected, processed, and where relevant stored, separately.

4. What is ‘phishing’?

Phishing is a process used to obtain user credentials from unsuspecting recipients. 

In this data breach incident, a perpetrator masqueraded as a party known to the GS1 recipient and sent an email indicating there is proposal attached. The recipient responded to that email querying that the attachment could not be opened. 

The perpetrator had already placed themselves between the legitimate party and the unsuspecting GS1 Australia recipient which meant they could intercept the response and provide a link to a malicious web page. This web page asked for user account details. As the GS1 Australia recipient believed the exchange was legitimate they complied with these instructions. 

At this point the perpetrator was able to log in as the GS1 Australia recipient to gain access to whatever mail and system accounts the details allowed. 

Additionally, the perpetrator masked their trail by creating an inbox rule within the recipient’s mail account to temporarily re-direct all inbound emails to the deleted items mailbox. Once the perpetrator had extracted the desired data these redirections were removed.

5. When did GS1 Australia become aware of the issue?

On Friday 4 April 2018 around 2:00pm, diligent receivers of these new phishing emails began to report suspect activity to GS1 Australia.  

6. Do you know who did this?

We do not know the identity of the unauthorised party. Whilst we were able to identify the IP address where the malicious activity occurred, phishing perpetrators often change their IP address to obscure detection.

7. Who has been notified?

At 3:41pm on Friday 6 April, GS1 Australia issued an initial communication to all staff to be aware of the breach and provide instructions to ensure queries could be handled appropriately.

At 6:07pm on Friday 6 April, all identified impacted parties were notified by email of the data breach and advised what remedial action should be taken.  

GS1 Australia’s IT Support Desk contact information was provided for additional support. Some parties who called, both prior and after the notice email, were provided details and remediation advice on what to do, and what constitutes good practice to protect data.

8. What is the company doing to protect my account details?

Further investigation was conducted over three weeks following the breach to identify what data and systems were accessed, ensure that we had identified and notified all affected parties, and put in place appropriate changes to procedures, and staff awareness. 

Through review, further remediation actions have been identified to further enhance GS1 Australia’s ability to avoid and manage any future incidents.

We are taking steps to protect our community, including the following:

  • We are notifying all affected users to provide information on how they can protect their data.
  • We have recommended to our entire community that all users should change their passwords (to one of adequate ‘strength’ and urge users to do so immediately, and institute a regime of regularly changing passwords.
  • We continue to monitor for suspicious activity and to coordinate with authorities.
  • We are working with leading data security firms to review our complete technology environment and staff procedures to ensure we have sufficient protection for the type of data that we manage both internally and on behalf of our customers. 
  • We continue to educate our staff on what constitutes safe practice with regards to data security.
  • We continue to make enhancements to our systems to detect and prevent unauthorised access to user information.

9. I think I received an email about this issue. How do I know it is really from GS1 Australia?

Click here to view the content of our original and follow up email notices to the affected parties. Please note that the original genuine email from GS1 Australia about this issue did not ask you to click on any links or contain attachments and does not request your personal data.

If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information, the email was not sent by GS1 Australia and may be an attempt to steal your personal data.

Avoid clicking on links or downloading attachments from such suspicious emails.

Note that a link included in our follow up email to users, directs users to this GS1 Australia Data Breach Security Incident: Frequently Asked Questions page and does not request your personal data.

10. What should I do to help protect my information?

We take our obligation to safeguard your personal data very seriously. We are providing you with this update about this issue, so you too can take steps to help protect your information.

We recommend you:

  • Change your passwords to all your accounts (not just your GS1 Australia accounts) to one of adequate ‘strength’.  We urge all users to do this immediately, and to institute a regime of regularly changing passwords.
  • Review your accounts for suspicious activity.
  • Be cautious of any unsolicited communications even if they come from an address that on the surface appears to be genuine. 
  • Be especially suspicious of any communication that asks for your personal data or refers you to a web page asking for personal data.
  • Avoid clicking on links or downloading attachments from suspicious emails.

11. How can I get help on this issue?

In the first instance, we recommend you speak to your own technical support team or IT service provider.

If you require any further information or need assistance, please feel free to contact GS1 Australia at data.breach@gs1au.org.