AusLeisure

The personal data of guests who have visited the popular Raging Waters Sydney waterpark may be at risk as a result of targeted attack by cyber criminals.

As reported by Information Age, hackers are understood to have stolen a reported 1TB of data from Parques Reunidos, the Spanish attractions operator whose multinational portfolio of properties includes the popular Raging Waters Sydney waterpark.

The Madrid-based company jumped into incident response mode after recently discovering what it describes as “unauthorised external access to our computer systems”, commencing forensic investigations and engaging that country’s Spanish Data Protection Authority (AEPD) about the incident.

Its response included shutting down affected systems and blocking their users; blocking of remote access connections; blocking all users’ passwords; and ‘temporary isolation’ of the company’s data centre.

The company is also expanding its data security tools and running “extraordinary awareness and training actions” to remind users about the risks of ransomware and other potential cybersecurity risks.

Those risks could impact guest who have visited Raging Waters Sydney, one of 21 waterparks operated by the group - whose portfolio of around 60 amusement parks, zoos, family entertainment centres are primarily located in Europe and the USA.

The Sydney waterpark was acquired by the Spanish company’s Palace Entertainment subsidiary in July 2018 for $40 million from Village Roadshow Themes Parks - marking its entry into the Australian market.

Reports suggest that the attack has been carried out by the BianLian ransomware gang whose custom software - with a reported 20 victims so far - exploits well-known vulnerabilities to quietly steal data.

Members have lurked on victim networks for up to six weeks, according to security group Redacted, with the ransom note on infected systems warning victims that “we have been downloading data from your network for a significant time before the attack”.

The data will be posted on the group’s Darkweb site within 10 days if the ransom is not paid, the group threatens its victims, warning that links to the data would be sent to clients, partners, competitors, and news agencies - threatening “potential financial, business and reputational loses (sic).”

BianLian’s ransomware encryption - which is spread through email attachments or clicking on links to malicious Microsoft Office, PDF, ZIP, JavaScript and other files - has already been reverse engineered and a decryptor was published earlier this year.

However, the mass publication of ‘client’ information could create challenges for the millions of people who have attended Raging Waters Sydney since it opened in 2013 - whose personal data is likely amongst the significant volume of data compromised by the attackers.

The stolen data is described as including personal information about company employees; ‘information and contacts’ of the company’s ‘partners and clients’; information about incidents at the company’s parks; and legal, financial, health, and operational information.

Information Age advise that such multi-pronged attacks are part of a growing trend that has seen ransomware gangs diversifying, rebranding, and networking with other groups to bolster their operations amidst declining ransomware revenues that could, Trend Micro recently warned, see many groups branching out into “adjacent areas” such as business email compromise (BEC), money laundering, and cryptocurrency theft.

Wave pool evacuation creates stir on social media
While Raging Waters Sydney maintains a low profile in the media, it was recently the focus of a social media stir after its wave pool was evacuated on Monday 9th January.

The incident saw guests asked to evacuate the popular waterpark’s wave pool, leading to speculation as to the reason.

With many confused by the closure, guests began to circulate videos on social media speculating that there had been a ‘code brown’ incident (when a person defecates in a pool).

One video, which showed a lifeguard standing at the edge of an empty pool while the adjacent beach area was full of idle patrons, racked up thousands of comments, with people expressing their reluctance to visit the attraction due to incidents like this.

However, a Raging Waters Sydney spokesperson subsequently advised that somebody had vomited in the wave pool.

Speaking to Yahoo News Australia, a spokesperson explained “a guest was sick whilst in the pool.”

As a result, the spokesperson noted that the facilities were closed for 20 minutes to allow staff to sufficiently clean the pool by following procedures "set out in their NSW Health Incident Response plan".

The spokesperson added “this is a very common issue that happens at all pools and water attractions.”

Image courtesy of Raging Waters Sydney.

Related Articles

18th October 2022 - Global attractions attendance report reveals 2021 as a year of recovery

31st January 2022 - New Zealand tourism businesses facing cybersecurity challenges

13th November 2021 - Businesses need to brace for cyber threats ahead of holiday season

1st July 2021 - Fitness and Lifestyle Group sign with Airlock Digital to protect against cyber attacks

31st May 2021 - Auckland Council Leisure Network candid about ‘code brown’ occurrences

22nd February 2021 - Online ticketing scams return to impact tourist attractions

29th December 2020 - Raging Waters Sydney uses Blacktown Council aquatic facility for lifeguard training

10th October 2020 - Raging Waters Sydney reopens with COVIDSafe protocols

3rd July 2019 - Rebranded Raging Waters Sydney waterpark reveals new waterslide

30th June 2019 - Spanish owners rebrand Wet’n'Wild Sydney as Raging Waters

6th April 2019 - Wet’n'Wild Sydney operator Parques Reunidos reports rising profits

28th February 2019 - US-based aquatic safety consultants award Wet’n'Wild Sydney lifeguards

11th October 2018 - Parques Reunidos completes Wet’n'Wild Sydney acquisition

16th July 2018 - IQ Pool Solutions introduces ‘code brown’ treatment solution

2nd July 2018 - Village Roadshow sells Wet’n'Wild Sydney to Spanish attractions operator

17th February 2018 - Village Roadshow reveals ‘incredibly disappointing’ results for Wet’n'Wild Sydney

13th January 2018 - Wet’n’Wild Sydney presents summer time motocross thrills

6th April 2017 - Visitor attractions hit by stolen credit card scam

18th October 2016 - Wet’n'Wild Sydney to install accesso’s queuing solution technology

12th August 2016 - Swimming Australia website under ‘cyber attack’ after Mack Horton’s ‘drug cheat’ remarks

5th August 2015 - How Invercargill’s Splash Palace handled the media during its ‘Code Brown’ crisis

11th June 2015 - Nappy supplier targets ‘code brown’ aquatic centre incidents

---

Support our industry news service
We hope that you value the news that we publish so while you're here can we ask for your support?

As an independent publisher, we need reader support for our industry news gathering so ask that - if you don't already do so - you back us by subscribing to the printed Australasian Leisure Management magazine and/or our online news.