It is one of at least three further data breaches to be disclosed in Australia this week in the wake of the massive Optus cyber hack. It follows government plans to reform cybersecurity laws and seek higher penalties under the Privacy Act.
Guardian Australia understands the incident was a ransomware attack on Port Phillip Prison which was reported by media in early July. In mid-September, G4S learned that some of the information had been posted online.
But the company only informed those affected about the extent of the attack and what documents had been compromised in an email on Tuesday.
The data obtained included employee names, addresses, dates of birth, contact details, police and medical checks, tax file numbers, bank account details, superannuation information, Medicare numbers and licence details. In some cases, payslips, health information shared with the company, and details about Workcover claims or incident reports were also compromised.
The company said the data was not easily accessible. It told employees it had taken action to prevent the third party continuing to access G4S systems and was working with the Australian Cyber Security Centre (ACSC).
The company advised those affected how to replace their identity documents but did not offer to pay for the replacements or provide credit monitoring. The company worked with IDCare to assist affected staff.
Guardian Australia was also alerted on Tuesday to another Optus-style data breach involving an employment agency. The breach was the result of a similar open application programming interface (API) to that breached in the Optus attack. Personal documents such as photos of passport pages and Covid-19 vaccination certificates were accessible via the vulnerability.
The data dated back to 2017 and was from a third-party vendor Telstra had used for its employee rewards program.
Telstra no longer used the system and said only 12,800 of the 30,000 staff still worked for the company. It said it had reset the passwords for all users of its new rewards system.
A Telstra spokesperson said the company believed the party responsible for posting the data was seeking to profit from the attention on the Optus data breach, and no customer information was at risk.
Services Australia has begun sifting through the records of customers who had their Medicare cards exposed in the Optus data breach after Optus handed over the details to officials at 1am on Tuesday morning.
The federal government services minister, Bill Shorten, slammed Optus on Sunday for not having handed over the data, but Optus reportedly said the company was given until Tuesday to hand over the information.
The company has recruited Deloitte to conduct an external review into the circumstances of the breach but has indicated it will not release the findings publicly.
