Sydney Running Festival participants hit in mass email hack

The security breach last week saw an “unauthorised user” gain access to mailing lists from the massive Sydney Running Festival, which estimated to have around 33,000 participants this year alone, along with other events. Participants of previous year’s events have reported receiving scam emails as well.

The breach is believed to have affected 144,575 unique email addresses.

Dodgy emails have been sent to subscribers to those email lists mentioning an unsettled account and providing a GST inclusive invoice.

Recipients have reported receiving invoices demanding up to $3000 to be paid this week.

The Sydney-based events management company Pont3, whose third party external electronic mailing account was accessed causing the mass hack, has advised users of the breach by email and on its website.

However, there is anger from some recipients that they weren’t notified earlier.

Commenting on a Facebook post from the Blackmores Sydney Running Festival warning of the security breach, one user wrote: “This happened almost one week ago. I was only notified my data was taken today. This is far too long of a delay in notifying affected people. Very disappointing.”

Subscribers to Pont3’s various email lists were advised that on Thursday, October 6, Pont3 detected “unauthorised access” to its email server using “a legitimate user account” .

“The associated password was changed immediately and contact was made with the third party provider of the mailing service to seek further clarification on what had occurred,” the company said on its website.

“Participants were informed on Wednesday, October 12 2016. Communication was not provided prior to this date, due to further discussion with the Third Party Supplier, NSW Police and Cyber Security Experts. We needed to confirm exactly which records had been compromised.”

The company’s customer service team said it supplied information to “all affected parties” as soon as it was in a position to provide accurate confirmation.

Recipients have been advised no financial information was taken during the breach, and that Pont3 does not hold financial information.

Information taken in the hack included email addresses, names, gender, postcodes and dates of birth of recipients. People on Pont3’s mailing lists have also been advised to warn their friends and family members whose personal details may have also been accessed in the hack.

“We recommend increased vigilance around unsolicited emails, phone calls or letters arriving in the mail,” recipients were told in an email from Pont3.

If participants in any of Pont3’s events have received any suspicious emails they are advised not to open them and mark them as spam.

People on the mailing lists of Sydney Running Festival, Sydney Harbour 10k and 5k, 2016 Run Club training sessions, Electric Run Aus, Manly Inflatable Boat Race and Warrior Run and CBD building managers, businesses and stakeholders who may have been contacted as part of Point3’s our public notification campaign for the Sydney Running Festival have been affected.

“We sincerely apologise for any inconvenience this incident has caused,” the email said.

Pont3 has indicated it is working with NSW Police to investigate the security breach.

News.com.au has approached NSW Police for comment.

Originally published as Thousands hit in mass email server hack