Security Market Segment LS
Tuesday, 09 June 2020 09:00

MyBudget lack of disclosure shows breach law no use to public

MyBudget lack of disclosure shows breach law no use to public Image by Robin Higgins from Pixabay

ANALYSIS The Federal Government needs to take a serious look at beefing up its law on data breaches considering the way in which companies refuse to divulge whether their clients data is at risk, with a prime case being Australian money management firm MyBudget.

The company is staying silent on whether it has paid a ransom to attackers who used the Mespinoza/Pysa ransomware to take down its website and keep clients from using it for two weeks. In fact, the company is yet to list the name of the ransomware that took it down.

On its outages page, the firm says: "The investigation into the malware incident that caused the outage is ongoing. At present, there is no credible evidence that significant data was accessed or will be misused." This is misleading at best.

The next sentence reads: "Until we can totally rule this out, we are taking all cautionary measures. We’re working with cyber security experts, government agencies and law enforcement bodies to take appropriate action and to keep you updated."

But the updates are not present. A link titled "Read more about the malware incident and FAQs" goes to a page where there is a single line saying, "On Saturday May 9 2020, we experienced a malware incident that caused a system outage."

The MyBudget outage began on 9 May, with the company initially saying it was due to unspecified malware. Later, the firm said it was unspecified ransomware. iTWire revealed it to be Mespinoza/Pysa on 29 May.

This ransomware, which only attacks Windows systems, is one of the growing number that first exfiltrate files from a victim's system and then encrypt them on-site. After that the ransomware generates a ransom note which becomes visible on a victim's system; it specifies the amount of the ransom and also the address — normally a cryptocurrency wallet — to which it should be sent.

The ransomware attackers listed MyBudget on its dark web site but did not list any documents stolen from the company; this is normally down when the attackers are negotiating with a victim.

On 3 June, MyBudget's name was no longer on the Mespinoza/Pysa site, indicating that a ransom had been paid. Had that not been the case, the ransomware attackers would have begun listing documents from the company.

iTWire has sought answers from MyBudget twice, but the company's PR representative is staying silent. The danger in paying a ransom is that attackers may provide a decryption key to the victim, but may still go ahead and release the stolen files. After all, with the money in hand, why would crooks need to adhere to any promise?

MyBudget's 13,000-odd clients come from mostly the less-wealthy strata of Australian society. They pay $1100 to join the service and anything from $40 upwards per week as administration fees. MyBudget is also staying silent on whether it will waive administration fees for the two-week period when the site was not accessible to clients.

When the first major breach was revealed in Australia after the breach law came into effect on 22 February 2018, the authorities' reaction — not fully disclosing details of the breach at human resources outfit PageUp People — was interpreted as being one that would set a precedent for others that follow.

Cyber security and law expert Helaine Leggat told iTWire at the time that the Department of Home Affairs and other Australian authorities may have decided to practice "security through obscurity".

The long-suffering clients of MyBudget will get a rude surprise one day if they find that their personal information has been used to scam them.

The breach law needs to be strengthened so that the rights of consumers, especially those from the poorer classes, are safeguarded. Right now, the law is basically an arse-covering exercise for both the government and companies to avoid lawsuits.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News