Friday 27 September
Compass Group Australia has been investigating a cyber incident since early September, which resulted in an unauthorised third party accessing some data from our systems.
Since we became aware of the incident, we have worked continuously with forensic experts and specialist legal counsel to remove the threat, implement additional monitoring and surveillance, and verify what information was compromised.
Protecting our people and our clients is our highest priority.
In anticipation that the accessed data may be illegally published online in the coming days or weeks, we are taking a number of legal steps to prevent this activity and limit its impact. This includes working with the Australian Federal Police to remove any material that is posted and taking court action to prevent any party from re-publishing that data.
Our investigations into the nature and extent of the impacted data indicate that it primarily relates to a relatively small number of Compass Group Australia employees, including former employees. We are in the process of formally notifying and supporting the individuals we have been able to identify so far.
We are also communicating with our clients. Compass Group Australia generally holds minimal client data, but we will communicate with our clients directly as soon as possible if we identify any of their sensitive data to be at risk.
We sincerely apologise for any concerns this incident has caused and encourage everyone to remain vigilant to any misuse of their personal information by taking the following general precautionary steps:
- Remain alert to any increased scam activity, especially through email, text messages or telephone calls, particularly where the sender or caller purports to be from Compass Group.
- If you receive any suspicious emails, text messages or telephone calls, do not provide your online account passwords, or any personal or financial information.
- Do not respond to, open or click on links in emails/text messages if you are unsure about the sender.
- Visit the Australian Cyber Security Centre’s webpage at https://www.cyber.gov.au/protect-yourself/
- Where available, use two-step authentication – such as an authentication application – for personal email accounts and other online accounts.
- Check your credit report (to alert you to any attempts to open a credit account in your name).
- Stay informed of the latest threats by visiting https://www.cyber.gov.au/threats and the latest scams by visiting https://www.scamwatch.gov.au/.
- Visit IDCARE’s Learning Centre and the OAIC website for further information and resources on protecting your personal information.
Friday 20 September
Compass Group Australia has been investigating a cyber incident since early September.
The investigation is ongoing, and we are continuing to work closely with leading global cybersecurity experts, specialist legal counsel and regulatory authorities.
Yesterday our security measures detected unauthorised activity on a server recently brought back online. In line with our security protocols, we disabled that system and contained the threat.
Our priority is to ensure the ongoing security and stability of our systems and to provide support to those individuals whose high-risk information has been impacted.
Importantly, we have progressed the forensic analysis of the data that we know has been impacted and have begun notifying people directly in instances where high-risk data has been accessed.
We sincerely apologise for any impact on our employees, clients or suppliers.
We have put in place a range of support measures for those who have been affected, including access to external professional support and advice on the precautionary measures people can take to safeguard their personal information.
We will continue to update our employees, clients and suppliers as more details become available.
Wednesday 18 September
In early September 2024, Compass Group Australia detected unauthorised activity in part of our IT environment.
We immediately activated our incident response plan. Third-party forensic experts were engaged, and the affected systems were proactively disabled.
While we acted early to contain the incident, our investigations found that some data was taken from our systems by an unauthorised third party.
Compass Group Australia takes cybersecurity and data protection very seriously, and every effort is being made to understand the nature and scope of the affected data.
We have communicated with clients, suppliers and employees, and apologise for any concern this incident has caused. We will continue to provide direct updates.
We have notified the relevant authorities, including the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, who are providing support and assistance.
Compass Group is taking a methodical approach to the restoration of systems, to ensure that we can confidently restore systems in a safe and secure way. Our priority is to ensure the integrity of our network and minimise the risk of future threats. The majority of systems have now been brought back online.
While the extent of the incident is still under investigation, we encourage employees, customers and suppliers to be vigilant across their digital accounts, including looking out for any unusual activities.
We will continue to post updates on our website as they become available.
FAQs
When we became aware of the issue in early September 2024, we immediately launched our incident response plan and proactively disabled some systems as a precaution and to remove any ongoing threat.
As at 23 September, all of our systems have been restored to normal operational processes.
This is the subject of an ongoing investigation, and we are working closely with external cybersecurity experts, specialist legal counsel and regulatory authorities to understand the extent of the affected data.
While this process will take some time to complete, we have progressed with our forensic analysis and have begun notifying some Compass Group Australia employees and former employees in instances where we know high-risk data has been accessed.
We have begun contacting these individuals to tell them what information was involved, how we are supporting them, and the steps they can take to protect themselves against the risk of identity theft, scams or fraud.
We are currently in the process of formally notifying approximately 150 individuals or about 1% of our workforce about the cyber breach. The number of impacted individuals may increase in the coming weeks as our forensic investigation continues.
We sincerely apologise to our employees, clients and suppliers for any concerns this incident has caused.
A small number of Compass Group systems are managed across Australia and New Zealand.
Our external forensic team is working hard to understand exactly what information has been compromised. Based on investigations to date, there is no evidence to suggest that data held by New Zealand systems has been impacted.
As a precaution, we have notified the National Cyber Security Centre and engaged with the Office of the Privacy Commissioner in New Zealand. We continue to work with these agencies as required. We will provide relevant updates as the investigation unfolds.
Compass Group Australia has put in place a number of services to support individuals who have had high-risk personal information compromised.
The following measures will be available depending on a person’s individual circumstances:
- IDCARE: We have partnered with IDCARE, Australia and New Zealand’s national identity and cyber support community service. IDCARE’s expert case managers will work with impacted individuals to address any concerns about risks to their personal information, and any instances where they think information might be misused. IDCARE’s services are available at no cost to those affected by the cyber incident.
- Equifax: In Australia, we are providing free access for up to 1 year of cover under the Equifax Credit & Identity Protect subscription plan to monitor for any fraudulent activity.
- ID replacement: Where someone’s primary identity documents have been compromised, and the advice from the issuing government agency is to replace the document, Compass Group Australia will reimburse the cost of the replacement.
In addition to the above, we are recommending that individuals take the following general precautionary steps and remain vigilant to any misuse of their personal information:
- Remain alert to any increased scam activity, especially through email, text messages or telephone calls, particularly where the sender or caller purports to be from Compass Group.
- If you receive any suspicious emails, text messages or telephone calls, do not provide your online account passwords, or any personal or financial information.
- Do not respond to, open or click on links in emails/text messages if you are unsure about the sender.
- Visit the Australian Cyber Security Centre’s webpage at https://www.cyber.gov.au/protect-yourself/.
- Where available, use two-step authentication – such as an authentication application – for personal email accounts and other online accounts.
- Check your credit report (to alert you to any attempts to open a credit account in your name).
- Stay informed of the latest threats by visiting https://www.cyber.gov.au/threats and the latest scams by visiting https://www.scamwatch.gov.au/.
- visit IDCARE’s Learning Centre and the OAIC website for further information and resources on protecting your personal information.
Yes. We have reported the incident to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC), who are providing assistance and support. We have also notified law enforcement.
We have also notified the National Cyber Security Centre and engaged the Office of the Privacy Commissioner in New Zealand, as a precaution. We continue to work with these agencies as required and will provide relevant updates as the investigation unfolds.
Where Compass Group Australia has collected personal information about our client’s employees, customers or residents and stored it on our systems, it is likely that this will constitute jointly held information.
In these circumstances, the Privacy Act allows for one entity to notify the OAIC and affected individuals. Compliance by Compass Group Australia will be taken as compliance by any other entity which Compass Group jointly holds information.
Here are some steps that everyone can take to protect themselves against identity theft, scams or fraud:
- Remain alert to any increased scam activity, especially through email, text messages or telephone calls, particularly where the sender or caller purports to be from Compass Group.
- If you receive any suspicious emails, text messages or telephone calls, do not provide your online account passwords, or any personal or financial information.
- Do not respond to, open or click on links in emails/text messages if you are unsure about the sender.
- Visit the Australian Cyber Security Centre’s webpage at https://www.cyber.gov.au/protect-yourself/.
- Where available, use two-step authentication – such as an authentication application – for personal email accounts and other online accounts.
- Check your credit report (to alert you to any attempts to open a credit account in your name).
- Stay informed of the latest threats by visiting https://www.cyber.gov.au/threats and the latest scams by visiting https://www.scamwatch.gov.au/.
- Visit IDCARE’s Learning Centre and the OAIC website for further information and resources on protecting your personal information.
If our investigations identify that your high-risk information has been impacted by this incident, we will communicate directly with you to provide further information and offer guidance and advice on next steps.
Any further enquiries or concerns can be directed to [email protected].
