- A successful tech business was destroyed by a lone hacker in just 11 days.
- The owners lost their business, home, and suffered years of psychological fallout.
- Key lessons include managing human impact, mastering security basics, and disaster planning.
Building Distribute.IT took Alex Woerndle and his brother Carl nine years. Starting soon after the turn-of-the-century tech crash, they created a business that managed approximately 10% of Australia’s domain name registrations. (This domain registration process is a foundation of the Internet.)
It took just 11 days for a sole hacker to bring it all crashing down.
The story of the June 2011 Distribute.IT hack is more than a technical tale of a cyber attack; it’s a story about the emotional and financial toll that follows when digital defences fail. The hack cost co-owner Alex Woerndle his business, his home, and years of psychological fallout.
Woerndle presented these events to members of the IFA’s parent body, the Institute of Public Accountants (IPA), in an early session of the IPA’s 2025 National Congress. He warns that “as a business community, we’re still not learning, because we’re still seeing these same mistakes coming to the fore in breaches.”
Woerndle has retold this story before – in part because, in the aftermath of the collapse, a police officer advised that retelling the story might help others avoid the same fate.
The first mistake
Woerndle says Distribute.IT’s demise started not with a bang, but with a quiet alarm on Friday, 3 June 2011. The company’s systems showed someone was repeatedly guessing passwords in an attempt to access a key server.
The Distribute.IT team took what it thought to be the safety-first approach: they shut down all external access to the network. They aimed to lock the intruder out. Instead, it may accidentally have sent him a provocative signal: “we know you’re here”. Then followed a game of cat and mouse, as the tech team chased the hacker through the network, changed passwords and replaced hardware.
By Monday, Woerndle says, an exhausted team believed they had contained the threat. They then had to report the threat and perform a full password reset for every client. This, unsurprisingly, added a torrent of customer complaints to the existing cleanup task. But by the end of the week, the team felt they had “dodged a pretty big bullet”. They were wrong.
The knockout blow
The fatal blow landed at around 4:30pm the following Saturday, 11 June. Woerndle explains that he had just dropped his four young children at his in-laws’ home, looking forward to dinner with his wife after a tough week.
Then a phone message arrived: “The hackers are back. It looks much worse. You better come in”.
The new attempt was indeed much worse. This time, the hacker had managed to sidestep normal authentication to enter Distribute.IT’s system. He locked the staff out and began the destruction. Rather than stealing data, he instead systematically destroyed it. Woerndle’s team had no choice but to create a “complete blackout,” with server cables physically ripped out.
Their entire Internet-based business was now offline.
The emotional collapse
At this point, the problems began to expand exponentially. When a business like Distribute.IT is offline, everyone in the team can feel the clock ticking on them. But this team had also been drained by the fight against the first attack. Now they had to try to rebuild again, even as police bagged hard drives as evidence. Insurance assessors arrived to survey the damage. Soon the mainstream media arrived to take up positions outside their small office. Critics massed on social media too. And a wave of emails started to overwhelm the two staff tasked with responding to it.
Recounts Woerndle: “All of these things really built this whirlpool effect … You just lose a bit of control over it.” That obvious lack of control worried clients.
And many clients had good reason to worry. Around 4,500 websites on four crucial servers were unrecoverable. Many of the clients had no backups of their own. “We are aware that a number of small businesses actually just shut the doors and didn’t reopen,” Woerndle remembers grimly. That in turn had knock-on effects for other businesses.
At the time, this may have been the biggest cyber incident in Australian history, happening to a relatively tiny firm. Few people are equipped to deal with such overwhelming pressure. As the days went on, staff began to quit, or not show up. Among them were key IT personnel. One worked beside the two brothers at the office for four days without ever leaving – but once he left, he did not return.
Woerndle himself had a similar reaction. Finally returning to his home mid-week, he recalls seeing his wife and four children huddled on the couch. “I had that sort of debilitating feeling of realisation, of ‘this is actually what I’m about to lose’,” he says. “And it wasn’t about the business, it wasn’t about the money, it was about the family”. He broke down, locking himself in a bathroom, crying uncontrollably. He was only four days into an 11-day ordeal.
The final act
Amid the technical, regulatory and emotional chaos, Woerndle believes he and his team made another critical mistake. They focused their energy on those 4,500 small business clients whose websites were gone. In doing so, they neglected the core domain name systems that accounted for over 70% of the company’s revenue.
On 22 June, 11 days into the hack, the domain name problem finally killed the company: it lost its domain registration accreditation. The governing body gave two hours’ notice that it would enable the transfer of all Distribute.IT’s 200,000 domain name clients to competitors.
With the clock ticking, Woerndle had two options: trigger a chaotic commercial business and legal fallout; or sell, immediately. In a five-minute phone call, competitor Netregistry agreed to buy Distribute.IT’s assets. That evening, the governing body stood down; the next morning, Netregistry representatives arrived with a bank cheque. Woerndle handed them the keys, introduced them to the few remaining staff, and went home.
The wash-up
Over the next 18 months, Woerndle says, he worked to liquidate the corporate entity. Events confirmed that he had “lost everything”.
Woerndle says he was later told that the hacker was a relatively inexperienced hacker – he had taught himself basic techniques by watching YouTube videos. Rather than target Distribute.IT, he had launched similar attacks at more than 100 businesses, simply hoping to find a vulnerability somewhere.
Woerndle has spent the years since the attack advising businesses on cyber security. With his brother he is co-founder and co-CEO of MyEmpire Group, a cybersecurity firm. They bill MyEmpire as “the answer to ‘what would have saved us last time’.”
Epilogue: 5 lessons from the ashes
Alex Woerndle identifies at least five key lessons from the destruction of his company, applicable to any business facing a cyber-attack.
- Manage the human impact: In a disaster, the well-being of the response team is critical. Without plans for rotating key people, exhaustion will lead to poor decisions and long-term mental health consequences.
- Master the fundamentals: Three fundamentals – using unique user accounts, enforcing passwords stored in a secure vault, and activating multi-factor authentication (MFA) – are central to keeping intruders out. These must be enforced wherever possible.
- Control the narrative: In a crisis, communication breaks down internally and externally. A clear plan for communicating with staff, clients, media, and regulators is essential to prevent inefficiency, anger, and rumour from spiralling out of control.
- Plan and test for disaster: Most firms are unprepared for a major incident. They need an incident response plan. That plan should be integrated with a business continuity plan. Both plans should be tested in non-stressful situations, to ensure they work and to clarify who makes critical decisions.
- Understand your supply chain: Many breaches now come through third-party suppliers. Businesses must know which suppliers hold their data, and what security measures those suppliers have in place. Do not assume your IT provider is managing all your cyber risk.
