Firstmac Limited is warning customers that it suffered a data breach a day after the new Embargo cyber-extortion group leaked over 500GB of data allegedly stolen from the firm.

Firstmac is a significant player in Australia’s financial services industry, focusing primarily on mortgage lending, investment management, and securitization services.

Headquartered in Brisbane, Queensland, and employing 460 people, the firm has issued 100,000 home loans and currently manages $15 billion in mortgages.

Yesterday, Have I Been Pwned creator Troy Hunt published on X a sample of the notification letter sent to Firstmac customers, informing them of a severe data breach.

“Firstmac recentrly experienced a cyber incident where an unauthorised third party accessed a part of our IT system,” reads the letter.

“As soon as we detected the incident, we took steps to immediately secure our system.”

From the investigation that followed, assisted by external cybersecurity experts, Firstmac determined that the below information was compromised:

• Full name
• Residential address
• Email address
• Phone number
• Date of birth
• External bank account information
• Driver’s license number

Despite that, Firstmac assured recipients that their accounts and funds are secure, and the firm’s systems have now been appropriately bolstered.

Among the measures that were introduced to strengthen security is a new requirement for all account changes to confirm the user’s identity using two-factor authentication or biometrics.

Recipients of the notices are provided with free identity theft protection services through IDCare and are advised to remain cautious with unsolicited communications and regularly check their account statements for unusual activity.

New Embargo gang claimed the attack

Australian news outlets reported about the attack on Firstmac in late April after the Embargo extortion group announced it on its data leak site.

On Thursday, Embargo leaked all data they claimed to have stolen from Firstmac’s systems, including documents, source code, email addresses, phone numbers, and database backups.

The new threat group currently only lists two victims on its extortion page, and it is unknown if they have committed the breaches themselves or bought the stolen data from others to blackmail the owners.

Samples of Embargo encryptors have yet to be found, so it’s unknown if they are a ransomware group or simply focus on extortion.