Sonicwall Midyear Banner1

Security Market Segment LS

Sonicwall Midyear2 Banner

Sonicwall Leaderboard Banner2

Tuesday, 09 June 2020 09:00

MyBudget lack of disclosure shows breach law no use to public

MyBudget lack of disclosure shows breach law no use to public Image by Robin Higgins from Pixabay

ANALYSIS The Federal Government needs to take a serious look at beefing up its law on data breaches considering the way in which companies refuse to divulge whether their clients data is at risk, with a prime case being Australian money management firm MyBudget.

The company is staying silent on whether it has paid a ransom to attackers who used the Mespinoza/Pysa ransomware to take down its website and keep clients from using it for two weeks. In fact, the company is yet to list the name of the ransomware that took it down.

On its outages page, the firm says: "The investigation into the malware incident that caused the outage is ongoing. At present, there is no credible evidence that significant data was accessed or will be misused." This is misleading at best.

The next sentence reads: "Until we can totally rule this out, we are taking all cautionary measures. We’re working with cyber security experts, government agencies and law enforcement bodies to take appropriate action and to keep you updated."

But the updates are not present. A link titled "Read more about the malware incident and FAQs" goes to a page where there is a single line saying, "On Saturday May 9 2020, we experienced a malware incident that caused a system outage."

The MyBudget outage began on 9 May, with the company initially saying it was due to unspecified malware. Later, the firm said it was unspecified ransomware. iTWire revealed it to be Mespinoza/Pysa on 29 May.

This ransomware, which only attacks Windows systems, is one of the growing number that first exfiltrate files from a victim's system and then encrypt them on-site. After that the ransomware generates a ransom note which becomes visible on a victim's system; it specifies the amount of the ransom and also the address — normally a cryptocurrency wallet — to which it should be sent.

The ransomware attackers listed MyBudget on its dark web site but did not list any documents stolen from the company; this is normally down when the attackers are negotiating with a victim.

On 3 June, MyBudget's name was no longer on the Mespinoza/Pysa site, indicating that a ransom had been paid. Had that not been the case, the ransomware attackers would have begun listing documents from the company.

iTWire has sought answers from MyBudget twice, but the company's PR representative is staying silent. The danger in paying a ransom is that attackers may provide a decryption key to the victim, but may still go ahead and release the stolen files. After all, with the money in hand, why would crooks need to adhere to any promise?

MyBudget's 13,000-odd clients come from mostly the less-wealthy strata of Australian society. They pay $1100 to join the service and anything from $40 upwards per week as administration fees. MyBudget is also staying silent on whether it will waive administration fees for the two-week period when the site was not accessible to clients.

When the first major breach was revealed in Australia after the breach law came into effect on 22 February 2018, the authorities' reaction — not fully disclosing details of the breach at human resources outfit PageUp People — was interpreted as being one that would set a precedent for others that follow.

Cyber security and law expert Helaine Leggat told iTWire at the time that the Department of Home Affairs and other Australian authorities may have decided to practice "security through obscurity".

The long-suffering clients of MyBudget will get a rude surprise one day if they find that their personal information has been used to scam them.

The breach law needs to be strengthened so that the rights of consumers, especially those from the poorer classes, are safeguarded. Right now, the law is basically an arse-covering exercise for both the government and companies to avoid lawsuits.

Read 3382 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News