A list of employee names, work phone numbers and job titles available to government employees through the Victorian Government directory was reportedly accessed by an unauthorized third party. According to the Australian Broadcasting Corporation (ABC), information on approximately 30,000 Victorian public servants was stolen in a data breach, after an unknown party downloaded a portion of the directory.
Employees that might have been impacted were notified via an email message which explained: "Because of this incident you may experience increased phishing, spam and social engineering attempts via your work email address and telephone numbers. As always, you should be aware of these risks and remain vigilant when it comes to unsolicited communications via email and telephone," ABC reported.
The breach was reported to the police, as well as to the Australian Cyber Security Centre and the Office of the Victorian Information Commissioner. In addition, a spokesperson for the Premier’s Department said in a prepared statement: “The Government will ensure any learnings from the investigation are put in place to better protect against breaches like this in the future.”
Even though the breach occurred in 2018, it is Australia’s first breach announcement for 2019. As security professionals prepare for the cyber challenges that the new year will bring, organizations around the globe are focusing on tightening up their privacy regulations and controls in the wake of back-to-back data breaches.
However, while businesses increasingly tend to privacy policies and compliance requirements, “accidents” remain common. These accidental privacy missteps can lead to the exposure of confidential, corporate or sensitive data, yet they are often a result of human error or a lapse in clear thinking due to the fast-pace, intense nature of certain work circumstances.
The investigation into the breach of the directory remains ongoing, and it is too early to say what happened; however, Adnan Dakhwe, head of security and compliance at Vera, said that corporations are often challenged when it comes to keeping pace with employee turnover, a common innocent mistake that can jeopardize the integrity of data, regardless of security measures and policies in place.
“Too often organizations stall in revoking access to sensitive files and corporate folders, once employees have parted ways with the organization. Keeping access permission updated in real time is essential to ensure private data isn’t jeopardized,” Dakhwe said.