The 8Base ransomware gang claimed another Australian victim in March with news of its hit on Castle Hill RSL Group (CHRG), and the ramifications are setting in.
The hackers claimed access to personal data, accounting documents and a significant amount of other sensitive information. Despite threats to leak the data on 6 March, no such leak has occurred to date.
In immediate response, CHRG, formerly known as Castle Hill RSL, notified the Australian Cyber Security Centre and enlisted independent cyber security experts to handle the breach. The group’s website now features an advisory notice warning visitors about the incident.
“Our ongoing forensic investigations have not identified any indications that our sign-in credentials, membership database, or point-of-sale systems were impacted by the incident,” a CHRG spokesperson said at the time.
CHRG, which services over 80,000 members across multiple clubs including Club Parramatta, Castle Hill Fitness & Aquatic Centre, Lynwood Golf & Country Club, and Castle Hill Bowling Club, emphasized that while it is legally required to check guests’ photo IDs, these details are not stored in their system. Membership data is collected solely to provide members with services and benefits.
CHRG has pledged to work closely with regulators and to swiftly resolve the breach, suggesting no-one is immune to cyberattacks.
Now, months after the initial attack, CHRG has begun sending letters to affected customers, confirming that some data was in fact compromised, with a new updated advisory on the website.
The letters, sent mid-May, outline the specific data affected: full names, dates of birth, and contact details such as email, postal addresses, and phone numbers.
“Further forensic investigations have identified that limited personal information from current and historical databases belonging to the addressee, collected by CHRG in compliance with its legal requirements as a registered club, may have been subject to unauthorised access and disclosure,” the letter and website advisory stated.
“CHRG is taking all reasonable steps to limit the impact of, and meet its obligations to, the incident. We wish to inform current and past members of the information that may have been involved and the steps that should be taken in response.
“We are disappointed that this information is involved. However, the risk of harm is limited, as this information is generally considered to have low sensitivity. In addition, based on our investigations, we believe that the data stolen from our systems is not publicly available.”
This assertion seems accurate, as a link on the 8Base leak site redirects to an error message that states “This folder was not found”.
A CHRG spokesperson explained the timing of the notifications, that CHRG sent notifications to affected individuals as soon as practicable, in compliance with the Privacy Act.
This required completion of investigations into the incident to identify the impacted data, the personal information it contained, and affected individuals to be notified. It was reportedly a complex, time-consuming process, “undertaken as expeditiously as possible”.
The Club notified the ACSC of the incident and cooperated with the OAIC in compliance with the Privacy Act. CHRG says it is committed to minimising the impact and meeting its obligations to both members and visitors.
CHRG confirmed it detected the incident on 17 February, and 8Base posted initial details of the hack on 13 March. At the time, CHRG stated it was confident that membership data was not impacted, but offered that “investigations are ongoing”.
In brighter news for the club, CHRG secured unanimous approval through Sydney Central Planning Committee and Hills Shire Council for a $340 million luxury lifestyle community development.
