We regret to inform our members that the ASCA website has fallen victim to a data breach. We‘ve detailed everything we know about the breach below and encourage members to read through carefully.
We don’t believe any data was stolen and our service provider is confident the site is now secure. We will continue to monitor and investigate the situation, but as a precaution, we strongly suggest members to update their passwords using the instructions below.
What happened?
At approximately midnight on Thursday 1st February 2023, ASCA’s website was accessed by an unknown party. Our IT management and service provider reported the breach on Thursday 1st February at 1:17 PM.
This breach only relates to our website https://www.australianspecialtycoffee.com.au/ and not Glue Up (our current member management system).
How was the website accessed and what was affected?
Access was obtained using a secondary account under a website management system used by our IT service provider which allowed administrator access to all websites under their management, including ASCA’s. This secondary account has now been removed.
The nature of the attack looks to be automated as approximately 30 websites under our IT service provider’s management were accessed at the same time.
It is unclear at this stage whether it is a vulnerability in the code with the third-party website management system, a brute force attack or related to the security breach of LastPass last year which our IT provider uses to store their passwords.
During the breach, the unknown party was able to install a file management system with known vulnerabilities. This plugin has since been removed.
An audit of the ASCA website was conducted and no file modifications were found.
What was accessed?
Based on our investigation we do not believe any member data was stolen. ASCA’s website does not have any built-in functionality to export user data from the database.
However, given the nature of the intrusion, it is possible if a human was behind the access and was manually searching through individual sales or user records, they would have had access to the following data:
- Full name
- Email address
- Past order information prior to 15 January 2022 including
- Billing address
- Billing phone number
- Stripe transaction IDs
Please note, ASCA does not store any credit card information in our database. All transactions prior to 15 January 2022 were processed via Stripe with sensitive information including credit card numbers encrypted in AES-256.
What you can do
The kind of data that was exposed during the breach could lead to phishing scams and social engineering (bad actors pretending to be you to gain access to your online accounts).
- Being alert for any phishing scams that may come to you by phone, post or email.
- Making sure to verify any communications you receive to ensure they are legitimate.
- Being careful when opening or responding to texts from unknown or suspicious numbers.
- Regularly updating your passwords with ‘strong’ passwords, not re-using passwords and activating multi-factor authentication on any online accounts, where available.
When creating a strong password, here are some tips:
- Use 10 or more characters
- At least one uppercase character
- At least one lowercase character
- At least one digit
- At least one symbol
- Do not use common names or words found in dictionaries
- Do not substitute ‘@‘ for ‘a’, ‘0’ for ‘o’ and ‘1’ for ‘i’ etc.
What ASCA is doing
ASCA is currently undergoing an IT security policy review and will be implementing recommendations moving forward.
Support
ASCA sincerely apologises to all members affected by this data breach and we’re here to help.
If you have any questions or require assistance, please email info@aasca.com.