Investigative Journalism and Learning Hub - Waratah Strata Management ignored SP52948 Lot 158 request to provide information about alleged data breach at Waratah Strata Management and loss of strata files on 17 February 2020

From:	SP52948 owner
To:	Frank Tallaridi Waratah Strata Management
CC:	Robert Crosbie Waratah Strata Management
Subject:	INTERIM UPDATE: Request to provide information about alleged data breach at Waratah Strata Management and loss of SP52948 strata files on 17Feb2020
Date:	17/2/20, 9:54 pm

Good evening,

It is noted that requests dated 14 July 2019 and 11 August 2019 to provide information in regards to alleged data loss and ransomware attack were not answered. In capacity of legal member of the Executive Committee representing owners corporation SP52948, Waratah Strata management failed to respond.

Lot 158 has updates for you to consider and prepare immediate responses listed in the attachments:

a) Waratah Strata Management alleges that their computer systems were attacked by ransomware on 1 February 2019. The attack lasted undetected for several weeks.

It took Waratah Strata Management six weeks to report the data losses to owners, and three and a half months to report it to Fair Trading NSW.

Four different versions of events presented by Waratah Strata Management do not match each other.

The brief ransomware report by Sententia also raises more questions.

Apart from lost USB key in mid-2018 (Waratah Strata Management did not keep copies of it) with all files for periods before 1 February 2017 that took Waratah Strata Management around 10 months to report to owners in March 2019, the second loss of data in alleged ransomware attack was/is also not properly disclosed to owners.

Of special interest is the allegation that Bitcoin ransom was paid by a third-party known to Waratah Strata Management to the threat actor in the equivalent amount of $5,052.03. Waratah Strata Management still refuses to disclose who paid the ransom, what the Police case number was, and if ATO and other relevant organisations were notified.

An alleged ransomware attack against Waratah Strata Management occurred on 1 February 2019. Sententia report, dated 26 March 2019 stated (undisclosed by Waratah Strata Management to 218 owners):

Their investigation had limited access to event logs.
Deeper understanding of the exact actions by the treat actor was not possible due to lack of evidence and an incomplete audit trail.
Based on incomplete logs, the encryption attack most likely occurred on 2 February 2019 at 12:08:56 hours.
Threat actor achieved brute-force success with the Administrator account on server WSMHS1, a malicious toolkit was then used to create www account on 1 February 2019 at 11:58:53 hours.
Incomplete audit logs from terminal services show the first login occurred at 23:59 hours on 1 February 2019 and session ended at 03:33 hours on 2 February 2019.
There was no conclusive evidence to suggest any data exfiltration occurred (simply based on available usage data logs that did not take into account possibility of using data compression for file transfers, or selective file transfers of targeted files).
In timeframe from 1 February 2019 up to around 15 and 17 February 2019, Waratah Strata Management was still at high risk, due to unpatched servers and continuous attacks with brute-force access. Lack of remediation actions to close all non-essential inbound ports continued to create risks.
Bitcoin ransom was subsequently paid by a third-party known to Waratah Strata Management to the threat actor in the equivalent amount of $5,052.03.
After this payment, there was no response from the threat actor.
The attack allegedly occurred due to misconfigured routers that allowed RDP protocol.
Sententia did not take into account possibility of data being transferred through screenshots, which is one of the valid attacks.
Waratah Strata Management recovered their data via a re-image procedure (mostly untrue, as per separate admission by Waratah Strata Management to Fair Trading and owners in emails with different explanations).
It was recommended to use more secure method of connectivity, such as MFA VPN.

b) Sententia report in March 2019 does not report any data losses in Office 365 or Azure cloud, therefore no record of files being destroyed by ransomware attack on Microsoft public systems that Waratah Strata Management uses for SP52948.

c) Lot 158 obtained official statement by Rockend that they provide the lookatmystrata.com.au domain as a service. However, Rockend does not store, hold, access, or release any information related to that domain. All such information is held, exclusively managed, and complete responsibility of Waratah Strata Management.

d) Lot 158 obtained official statement by Microsoft that they had never been notified about data loss and/or ransomware attack in Office 365 that keeps emails for waratahstrata.com.au.

Mirosoft also stated that had anybody reported loss of emails in Office 365, Microsoft would have had ability to restore them within 90 days after the incident. That obviously did not happen as Microsoft seemingly has no record of such actions.

Microsoft found no trace of any complaint, ticket, or report for data losses for waratahstrata.com.au in Office 365 during 2019 or 2020.

The only event related to waratahstrata.com.au was ticket in June 2019 (case number 14941752) - problem with sending emails.

Microsoft has not been involved in any investigation of alleged ransomware attack or data losses that Waratah Strata Management reported for emails in Office 365.

Lot 158 has more information about this event but that will not be shared at the present time.

Regards,

On 14/7/19 8:16 pm, SP52948 owner wrote:

Hi,

Lot 158 has some information that might be of importance to help the

Police investigations in regards to alleged data loss and hacking attack against Waratah Strata Management.

After malicious or criminal attacks, human error accounted for 35% data breaches over the period 1 April 2018 to 31 March 2019 (source: Australian Government Notifiable Data Breaches).

The Privacy Act 1988 (Cth) (Privacy Act) and the Privacy Regulations 2013 (Privacy Regulations) requires strata managers to comply with 13 Australian Privacy Principles (APPs) (subject to other provisions of that Act) in how they handle personal information. The APPs regulate the manner in which personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal (where applicable).

It is noted that Waratah Strata Management had full access to all passwords at lookatmystrata.com.au, which was/is against all security policies and privacy guidelines.

Please provide the following information as a matter of priority:

a) On which date (exact time would be appreciated) did the attack happen and what services were affected (website access to waratahstrata.com.au, email, and so on)?

b) Apart from SP52948, did any other Waratah Strata Management client lose data or got affected by the hacking attack?

c) SP52948 strata files are located at lookatmystrata.com.au. Does Waratah Strata Management allege that SP52948 data breach happened not only at waratahstrata.com.au but at lookatmystrata.com.au as well (two websites affected)?

d) Waratah Strata Management uses email services and Office365 at Microsoft. Is it alleged that Microsoft was also attacked and somehow lost SP52948 files?

e) On which date did the full services for email and website access to waratahstrata.com.au and lookatmystrata.com.au get restored?

f) Who provided file restore services (presumably from backup tapes or on-line backups)?

g) On which date was the Police notified and what is the Event number?

h) On which date was mandatory data breach notification completed (Privacy Amendment (Notifiable Data Breaches) Bill 2016)?

i) On which date, if applicable, was SP52948 insurance notified about the loss of data, financial files, and private information (including bank account details)?

j) Waratah Strata Management appears to have stated strata files on USB key that was lost (misplaced) by the Police in mid-2018 was not backed up. Is that still a valid and truthful statement?

Regards,