Notifiable Data Breach – Incident Notification
I wish to advise of a data security incident at The Eagle Academy (the Academy), which may have resulted in the loss of some personally identifiable information.
On 22nd June 2019, the Academy discovered that an excel spreadsheet, containing student information was publicly visible on Google. As soon as the Academy became aware of this issue, we acted swiftly, taking proactive measures to secure the webpage, prevent unauthorised access to records, and to investigate the incident’s potential impact.
We can assure you that the Academy is taking extensive measures to mitigate any risk and protect information. In addition to our internal investigation, we have engaged external IT expertise, supported by an independent Cybersecurity specialist firm to provide additional expertise and support in this matter.
Although our IT and Cybersecurity consultants found no evidence that any information was accessed, downloaded or stolen, the Academy is taking precautionary steps to notify any potentially affected individuals as a precaution. To that extent, as soon as we practicably could, we have informed all those potentially affected by this incident.
What information may have been accessed?
Our investigation revealed that there was a certain amount of information held on the compromised form, which did not include passwords but may have included some personal information including (but not limited to):
Personally Identifiable Information, including:
- Full Passport Details
- Full Licence Details (Australian)
- Full Names
- Date of Birth
- Sex (male / female)
In accordance with the Privacy Act 1998, and the mandatory Notifiable Data Breach Scheme, the Academy confirms that on 15th July 2019, we reported this incident to the Office of the Australian Information Commissioner (OAIC), and we will continue working cooperatively with that office during this investigation.
For further information relating to the Notifiable Data Breach Scheme, you may wish to visit the OAIC website (https://www.oaic.gov.au).
What else are we doing?
The Academy takes its obligations to safeguard your personal information very seriously. Our number one focus has been to clearly identify who has been (and rule out who has not been) potentially affected by this incident and also to identify precisely what information may have been compromised.
Additionally, the Academy was already in the process of undertaking an independent external review of our Information Security and Cybersecurity posture, together with our relevant policies and procedures, to identify what can more be done to enhance our existing Information Security and Cybersecurity resilience, thus ensuring that this type of incident is not repeated. These efforts will be ongoing, and in the interim, there are some additional steps you may wish to consider taking as a precautionary measure.
What preventative security precautions should affected individuals consider?
We sincerely regret that this incident occurred and acknowledge how it might affect you. To that extent, we are committed to providing as much support, guidance and assistance as we can. As a precaution, we have outlined below proactive and preventative measures that may maximise the ongoing security of your information:
- Change Your Passwords – For any online accounts, especially where you use the same or a similar password, we recommend that you change that password immediately and consider using a recognised Password Manager (https://www.digitaltrends.com/computing/best-password-managers/).
- As an additional level of security, consider enabling Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) on all available accounts, especially your email and financial accounts immediately. For additional information relating to MFA and 2FA please visit the ACSC website (https://acsc.gov.au).
- Remain vigilant to any suspicious emails, unsolicited telephone calls, SMS and email phishing scams. Please be aware that the Academy will never email you to advise of any changes relating to your bank accounts or ask you to confirm any sensitive information via email. For more information relating to phishing scams, please visit on the ACCC’s website (https://www.cyber.gov.au/acsc/view-all-content/threats/phishing).
- Remain vigilant to any form of Social Engineering, such as ‘Business Email Compromise’ (BEC) scams, also referred to as “CEO Fraud”. These will often attempt to impersonate a senior staff member, finance department member, company legal representative or trusted vendor etc. Threat actors (cyber-criminals) will send fraudulent emails (from a trusted person’s email address), impersonating a senior executive of the organisation (CEO, CFO etc.), in an attempt to deceive (trick) their victim into initiating a financial transfer, change of bank account details, or some other fraudulent request. Additional information about this type of scam is available on the Australian Government Stay Smart Online site (https://www.cyber.gov.au/acsc/view-all-content/news).
- Remain vigilant to unauthorised requests to port your mobile telephone number to another provider. In most cases, the first indicator of unauthorised porting will be your mobile phone unexpectedly losing coverage and going into SOS mode. If this occurs, contact your telecommunications service provider immediately to confirm whether a request for porting has occurred and if so, request an immediate reversal. If you discover that your number has been ported without your authorisation, you should contact your financial institution(s) to suspend online banking temporarily. You should also consider contacting any other service providers with whom you have set up either two-factor or multi-factor mobile phone authentication. More information about this type of scam is available on the ACCAN’s website (https://accan.org.au/hot-issues/1385- fraudulent-mobile-number-porting-and-identity-theft).
- Ensure you have robust and up to date cybersecurity software installed on all your connections.
- Review and continue to monitor your financial and payment card account statements for any discrepancies or unusual activity. Contact your relevant financial institutions if you have any concerns.
- Review and continue to monitor your consumer credit report for any discrepancies or unusual activity. You can also request that a ban be put in place while you investigate further.
- Additional guidance about protecting your identity can be found at the Office of the Australian Information Commissioner’s website (https://www.oaic.gov.au/individuals/data-breach-guidance/what-to-do-after-a-data-breach-notification#other-resources).
What other action should I consider?
Should you have any concerns relating to potential identity theft, then you may wish to contact Australia’s National Identity and Cyber Support organisation – IDCare (https://www.idcare.org/).
You may also wish to review and continue to monitor your consumer credit report for any discrepancies or unusual activity. You can apply for an annual free credit report from each of the consumer Credit Reporting Agencies below. This report will also show you which organisations have recently checked your credit history, so you can tell them not to authorise a new account in your name. You can also request that a ban be put in place while you investigate further.
Relevant contact details are below:
Should you have any concerns or questions relating to this incident, my team and I are here to assist.
We have set up a dedicated email mailbox (email@example.com), and should you wish to discuss this with one of our Senior Managers, they can be contacted via telephone on (07) 3398 4488.
We sincerely apologise that this incident has occurred and we want to assure you that we are doing everything we can to mitigate the possibility of similar incidents. Above all, my team and I sincerely value the innate trust we have with all our students, and we are committed to protecting information and privacy.
We will continue to review and strengthen both our IT Security and Information Security protocols in our ongoing effort to enhance our company’s overall data security. We thank you for your understanding and continued support.