DBG Health hack: Cyber criminals target pharma empire and steal ex-employees’ payroll information
Australia’s largest provider of prescription medicines has been hacked by cyber criminals who stole the sensitive payroll information of an unknown number of former employees.
DBG Health, an Australian-owned company generating about $2 billion in annual revenue, has confirmed the cyber security incident to The Nightly while reassuring former staff that the criminal gang has not yet used their personal information.
“Last year, DBG identified that there had been a limited incursion on an isolated server holding a number of employee records,” A DBG Health spokesperson said in response to questions last week.
Sign up to The Nightly's newsletters.
Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.
By continuing you agree to our Terms and Privacy Policy.“The incursion was halted and DBG immediately engaged specialist cyber security and legal experts to forensically analyse the impacted server.
“DBG and its expert advisors notified and fully engaged with the appropriate authorities.
“DBG contacted relevant employees and offered any assistance that was required.
“Additional security measures have been put in place to further restrict access and strengthen system monitoring and detection.”
DBG declined to reveal how many former employees were impacted, which authorities were notified or which cyber criminals were behind the attack.
However, former staff – impacted by the breach – have been told their stolen records included payroll information “which may include your salary, superannuation payables and your contact information”.
DBG Health has more than 1400 employees working across its global portfolio which includes businesses such as Arrotex, VidaCorp, AXE Health, IPA and myDNA Inc.
DBG Health owns the country’s largest generic drug manufacturer, Arrotex, which – according to the company’s website – fulfils half of all scripts filled under the federal government’s Pharmaceutical Benefits Scheme every year.
The company’s portfolio also includes beauty brands MCoBeauty, Nude By Nature and Poni.
Last month, DBG Health’s billionaire boss Dennis Bastas notified former employees that cyber criminals had stolen their personal and payroll information.
In July, the chairman and group CEO emailed former employees about a “Cyber Security Incident Investigation”.
In the email, obtained by The Nightly, Mr Bastas advised former employees “what happened, what information was affected, how this may impact you and the steps we’ve taken to protect you”.
“We have confirmed that data stolen by cyber criminals last year includes some of your information from our payroll system,” he wrote.
“Our investigation indicates your stolen data includes information taken from our payroll system, saved from when you were employed in our business.
“It included your bank account details and your tax file number (TFN).
“As a precaution, we recommend you advise your bank that your account details have been caught in a data breach.”
The company said that in late August 2024, an “unauthorised third party accessed our network and stole data from a server”.
“We immediately engaged an expert third party to investigate and subsequently identified some employees whose personal information had been compromised,” the email said.
“An initial notification was made to those employees at the time. This engagement was completed in January 2025.
“In late January, we engaged EY’s Cyber Security Centre to further strengthen our cyber security measures and verify the initial investigation findings.”
It is understood that EY refers Ernst & Young.
“After an extensive and time-consuming review that involved having to rebuild servers to determine exactly what was taken, EY’s review has now confirmed that additional payroll information was stolen,” the email said.
“We are notifying you as quickly as possible after this was confirmed.
“The stolen data includes payroll information from DBG Health businesses.”
Mr Bastas said that although the data had been stolen, there was no evidence that it had been used by cyber criminals.
“EY’s Cyber Security Centre has been monitoring the dark web for activity around this stolen data,” he wrote.
“They have not found any evidence the stolen data has been accessed or used.
“EY will continue to monitor and will alert us if and when that situation changes.”
A dedicated information line was set up for impacted employees to ask questions and receive advice about the situation.
“EY continues to monitor to detect if the stolen data is sold or misused on the dark web. Should that happen, we will notify you immediately,” Mr Bastas said.
“We sincerely regret that your information was impacted and remain committed to minimising any risk to you.
“We will continue to keep you informed of any significant developments.”
In January, Cyber Daily reported that a Ransomware gang called Morpheus had claimed responsibility for hacking into DBG Health’s server last August and was offering the stolen data for sale on a dedicated leak site.
“The volume of extracted data, ready for sale or publication, is nearly 2.5 (terabytes),” a Morpheus spokesperson reportedly said.
The hackers boasted that the stolen data included confidential documents, recruitment information, DBG partner information, case reviews, sales and distributor data and business plans.
To prove the hack, Morpheus reportedly published two valid passport scans which appeared to belong to prior or current employees of DBG Health and two pharmaceutical documents from the Therapeutic Goods Administration.
DBG Health reportedly posted a notification about the cyber security incident on its website but a link to the post no longer works so it appears to have been taken down.
In the online notification, the company reportedly said it had informed the Office of the Australian Information Commission on September 16, 2024.
The OAIC told The Nightly it “does not comment on specific matters”.
This comes as the Australian Financial Review reported, earlier this month, that Mr Bastas had “offloaded a significant stake in the beauty and pharmaceutical empire he founded a decade ago in a deal that values the business at more than $7 billion”.
The AFR said the transaction boosted Mr Bastas’ personal wealth “from nearly $3 billion to an estimated $5.07 billion” while he continues to own around 75 per cent of the company.
Mr Bastas told the AFR the fast-growing DBG Health will ultimately list on the ASX.
“It is certainly a company that is suited to be a public company at some point,” he told the AFR.
“The breadth of our portfolio, the fact that we’re Australia’s largest pharmaceutical business, run by Australian owners for Australia will make this the kind of company that should be in the hands of Australian investors.”
