cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Huge trove of Australian client data leaked following OracleCMS call centre hack

The personal details of thousands of individuals and more than a dozen local councils have leaked onto the dark web following a LockBit ransomware attack.

user icon David Hollingworth
Wed, 17 Apr 2024
Huge trove of Australian client data leaked following OracleCMS call centre hack
expand image

Infamous ransomware operator LockBit has struck again, this time targeting an Australian call centre operator.

LockBit appears to have made its attack on OracleCMS, which operates call centres across Australia, on 4 April before posting about the incident on its leak site on 12 April.

The gang did not editorialise on the attack but did publish several sample documents, including billing and financial details. LockBit also did not declare the ransom demand, only giving a deadline of 16 April before the entire dataset was published.


That deadline passed, and true to its word, LockBit has now published more than 60 gigabytes of data in a single compressed archive. The gang is also hosting the individual files on its leak site, and the data includes a large number of documents regarding OracleCMS’ clients.

In a folder labelled “Clients”, there are more than 50 folders for organisations, ranging from local councils to aged-care services. More than a dozen local councils are on the list, including Campbelltown Council, Tweed Shire Council, and Dandenong City Council.

Another half dozen folders contain files regarding the City of Sydney and five other local government entities – the cities of Kwinana, Moreton Bay, Playford, Busselton, and Marion.

Other OracleCMS clients listed in the leak include several law firms, a popular real estate agent, and the Queensland branch of the Philadelphia Church of God.

The client data ranges from on-call mobile numbers for various clients, all the way to detailed Excel spreadsheets with thousands of lines of data covering everything from, for instance, the location and metre IDs of every parking metre in the City of Sydney to a list of more than 2,000 people – including names and addresses – who subscribe to the Philadelphia Church of God’s Key of David program.

Generally speaking, much of the data is simply phone numbers and work emails of OracleCMS’ clients – pretty mundane stuff – but other data includes details of phone calls reporting issues to aged-care providers, including illnesses and domestic violence incidents. This data does not appear to be personally identifiable, but it is distressing content to see published on the dark net nonetheless.

Also included are client contracts, confidentiality agreements, and other internal OracleCMS documents.

OracleCMS has so far declined to comment on the incident, and Cyber Daily has reached out to the Philadelphia Church of God, as well as several other impacted clients.

The City of Sydney, however, is aware of the incident.

“OracleCMS is contracted to provide after-hours and overflow contact centre support for the City of Sydney,” a City of Sydney spokesperson told Cyber Daily.

“We are working with OracleCMS to investigate an incident that impacted them and, if necessary, enhance the protection of our information held by them.

“At this stage, we understand that no City of Sydney systems were breached in this incident.”

According to OracleCMS’ website, the company operates call centres in Adelaide, Perth, Brisbane, Melbourne, and Sydney.

UPDATE 22/04/24

OracleCMS has now released a statement on its website.

"OracleCMS has become aware of a cyber security incident in which a third party gained unauthorised access to a portion of OracleCMS’ data and has now published files online

Upon discovery, OracleCMS engaged external cyber security experts to help us secure our systems and investigate the incident.

Available evidence suggests that the impacted data is limited to corporate information, contract details, invoices, and triage process workflows. Any personal information, if present, is anticipated to be basic contact information as appears in contracts and invoices. We are advised that this data presents a low risk of misuse.

We have contacted the client organisations which our investigation has identified as potentially impacted and we will be working with them to notify those who require guidance and support to mitigate the risk of data misuse.

We understand this news may cause concern, and we are deeply sorry that this has happened. We are committed to keeping our stakeholders updated as we work to respond to this incident.

For further information, please contact our dedicated response team [email protected]."

The company has also issued advice for those affected by any data breach - you can read the full statement here.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.