Investigative Journalism and Learning Hub - Waratah Strata Management ignored request to inform SP52948 owners if committee members knew about two data loses on 11 August 2019

Welcome to the blog of NSW strata investigative journalism

From: SP52948 owner
To: Frank Tallaridi Waratah Strata Management
CC: Robert Crosbie Waratah Strata Management
Subject: Request to disclose information if EC members were notified about two events for loss of SP52948 strata files in a timely manner on 10Aug2019
Date: 10/8/19, 10:25 am

Hi,

As expected and anticipated, Waratah Strata Management and EC members failed to respond to inquiry about alleged ransomware attack sent by Lot 158 on 14 July 2019.

Additional information is now required.

Please provide the following:

a) What is the earliest date when EC members were notified by Waratah Strata Management about the lost USB key that had been provided to the Police in April 2018?

b) Which EC members were notified about lost USB key and strata files and what were their instructions to Waratah Strata Management? Copies of emails are necessary because they were not found during document search on 31 May 2019.

c) Who is responsible for failing to run proper backups of SP52948 strata files and email folders in period between lost USB key and the second event - ransomware attack on 1 February 2019.

d) Who made the decision not to notify owners about lost USB key before, or at AGM in October 2018?

e) Was Economos notified about the lost USB key before their financial audit which was allegedly signed exactly on the day of the AGM - 18 October 2018 (but not disclosed to owners)?

f) What is the earliest date when EC members were notified by Waratah Strata Management about the alleged ransomware attack on 1 February 2019?

g) Which EC members were notified about lost USB key and strata files and what were their instructions to Waratah Strata Management? Copies of emails are necessary because they were not found during document search on 31 May 2019.

h) On which dates, if applicable, was Australian Taxation Office notified about lost USB key and the ransomware attack? Copies of emails or letters are necessary because they were not found during document search on 31 May 2019.

i) On which dates, if applicable, were Insurance Broker and the insurance policy provider notified about lost USB key and the ransomware attack? Copies of emails or letters are necessary because they were not found during document search on 31 May 2019.

Regards,

On 14/7/19 8:16 pm, SP52948 owner wrote:

Hi,

Lot 158 has some information that might be of importance to help the Police investigations in regards to alleged data loss and hacking attack against Waratah Strata Management.

After malicious or criminal attacks, human error accounted for 35% data breaches over the period 1 April 2018 to 31 March 2019 (source: Australian Government Notifiable Data Breaches).

The Privacy Act 1988 (Cth) (Privacy Act) and the Privacy Regulations 2013 (Privacy Regulations) requires strata managers to comply with 13 Australian Privacy Principles (APPs) (subject to other provisions of that Act) in how they handle personal information. The APPs regulate the manner in which personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal (where applicable).

It is noted that Waratah Strata Management had full access to all passwords at lookatmystrata.com.au, which was/is against all security policies and privacy guidelines.

Please provide the following information as a matter of priority:

a) On which date (exact time would be appreciated) did the attack happen and what services were affected (website access to waratahstrata.com.au, email, and so on)?

b) Apart from SP52948, did any other Waratah Strata Management client lose data or got affected by the hacking attack?

c) SP52948 strata files are located at lookatmystrata.com.au. Does Waratah Strata Management allege that SP52948 data breach happened not only at waratahstrata.com.au but at lookatmystrata.com.au as well (two websites affected)?

d) Waratah Strata Management uses email services and Office365 at Microsoft. Is it alleged that Microsoft was also attacked and somehow lost SP52948 files?

e) On which date did the full services for email and website access to waratahstrata.com.au and lookatmystrata.com.au get restored?

f) Who provided file restore services (presumably from backup tapes or on-line backups)?

g) On which date was the Police notified and what is the Event number?

h) On which date was mandatory data breach notification completed (Privacy Amendment (Notifiable Data Breaches) Bill 2016)?

i) On which date, if applicable, was SP52948 insurance notified about the loss of data, financial files, and private information (including bank account details)?

j) Waratah Strata Management appears to have stated strata files on USB key that was lost (misplaced) by the Police in mid-2018 was not backed.

Is that still a valid and truthful statement?

Regards,