At Tuned Global, we take the security and privacy of our clients and their end users extremely seriously. We are sharing this statement to provide transparency and context regarding a historical data exposure that occasionally resurfaces.

Background

In 2020, Tuned Global was notified by the Australian Federal Police (AFP), following a report from the FBI, that a dataset allegedly containing approximately 985,000 records had been identified on the dark web. The dataset was being offered for sale by a malicious actor known as “ShinyHunters” and was described as originating from 2016.

We activated our data breach protocol and started a thorough investigation. We came across a screenshot accompanying the ShinyHunters’ post that included a small sample of email addresses and personal information. At that time, we cross-checked the emails visible in the screenshot against our systems and could not identify any of the individuals — either because they were never in our systems or because we had already securely erased the data in line with our privacy and data retention policies following the end of client contracts.

We did not obtain access to the full dataset, so we cannot definitively verify its contents or confirm its origin.

Our Response

Immediately upon receiving the alert, we took the following actions:

• Conducted a full internal security audit of our infrastructure.
• Commissioned an independent investigation by a certified AWS partner, which included comprehensive reviews of our cloud logs and account activity.
• Both investigations found no evidence of any breach or unauthorised access to our core infrastructure or AWS environments, within our production or staging environments.
• The AFP subsequently reviewed our findings and closed the case, confirming no further regulatory or investigative action was deemed necessary.

We were unable to retrieve the full dataset posted on the dark web, and therefore cannot verify its content, origin, or whether it ever belonged or not to us or to a third party using our services. While a few screenshots included column names that resembled elements of an old database schema, we found no matches for the visible sample user records in our archived or current systems. Given our data retention practices, it is also possible that any relevant records had already been securely deleted in line with our internal policies.

Our current security measures

We have made substantial enhancements to our systems and processes since 2016 to ensure maximum protection of data:

• Achieving SOC 2 Type II and ISO 27001 certification.
• Implementing secure DevOps pipelines, with rigorous security checks and regular penetration testing.
• Retain no customer or end-user data beyond the life of a client engagement, in line with GDPR and global best practices.
• Conducting third-party security audits and maintaining robust internal protocols across people, processes, and technology.
• Ensuring all sensitive data is encrypted using best-practice hashing and access controls.
• Enforcing least privilege access policies across all accounts for all users.
• Enforced Multi Factor Authentication (MFA) across the board on all services.

We also consulted with independent forensic and threat intelligence experts to assess whether historical data from the dark web could be retrieved and attributed. Their conclusion: given the age of the incident, absence of logs, and the decommissioned nature of the relevant systems, a definitive technical investigation is not feasible. However, should new evidence emerge, we are prepared to reassess our findings.

Our commitment regarding transparency

Our lack of communication at the time, driven by our belief that the claim was not authentic, may have caused concerns and confusion. We are now committed to delivering a transparent, fact-based public narrative.

As part of this ongoing commitment, we engage directly with cybersecurity experts and digital threat intelligence professionals, including those who manage public breach-notification services. We believe that open collaboration with threat intelligence professionals helps ensure that public breach notifications are based on verified facts and to reduce uncertainty for users.

We are currently in the process of developing a Trust Center on our website, which will centralise information on our security certifications, data protection policies, and any public-facing clarifications about past or future security matters.

We recognise that some individuals may receive alerts from third-party identity monitoring services (e.g. antivirus software, password managers, credit score tools) referencing “Tuned Global” as a breach source, these services often rely on publicly available breach databases.

If you received such a notification, please understand that:

• We were never able to access or verify the dataset directly.
• We have confirmed that no affected individuals could be identified in our systems at the time of the alert in 2020, and the data allegedly dates back to 2016.
• We cannot independently validate the origin or scope of the data.
• Given that we could not identify any individuals in our system, we were unable to notify people that were possibly affected.

We welcome security-related inquiries and can provide relevant certifications, audit summaries, or expert statements to support your due diligence.
This statement is based on the best information available as of July 10th 2025. We will update it if new verified facts emerge.

Contact

If you have concerns or need further clarification, please contact our Data Protection team at infosec@tunedglobal.com.