Camberwell High School suffers major privacy breach…Victorian Government exposed to action by parents and students under the Privacy and Data Protection Act 2014

May 29, 2017 |

It would appear that the school management software of Camberwell High School has been accessed by a person without authority as reported in Camberwell High School becomes second target of major privacy breach in two weeks. Any breach is of concern but cyber threats, whether from overseas participants or bored students at the school is possibility.  In this case the damage limitation and advice to those affected has been dismal, and all too typical.  Government agencies, particularly at a state level are notoriously resistant to advising those whose personal information. As is often the case the shut down of communications or cover up occasionally makes a bad situation much, much worse.

The Camberwell High School Homepage provides no notice of comfort, providing contact details of those concerned about the breach.  Fairly typical “pull up the drawbridge” approach to information sharing.  According to the Camberwell High Schools Latest News:

Just a note to let you know that a small mudlark is protecting its nest along the Prospect Hill Road entries near the D building, it has also been sighted swooping near the E Building last week.  There have been a small number of students present with facial scratches so could you please be mindful and avoid the area when possible.

Please leave the mother bird alone as she will only be exhibiting this behaviour for a few weeks.

All for protecting mud larks and students from being scratched by them.  But losing personal information is a serious matter, as worrying if not more so than being swooped by the protective mudlark.  The cost of a data breach can be much greater!

What is interesting is that the Camberwell High School breach occurred days, perhaps over a week, after a breach involving the same software program at Blackburn High School.  Two immediate conclusions are possible; that Camberwell High’s data protection structure was hopelessly inadequate.  After Blackburn High was hit, Camberwell High should have reviewed its security.  The second conclusion is that there may be a weakness in Compass Education program.  Software programs are generally focused on service delivery and put scant resources into building in privacy protections.

In Victoria breaches of privacy are actionable under the Privacy and Data Protection Act 2014.  If the matter does not resolve at mediation and a matter is referred to the Victorian Civil and Administrative Tribunal it can make a range of orders, under section 77,including compensation of up to $100,000.  The legislation is under utilised and VCAT has been an uncertain forum with some decisions defying all logic.  But with time the jurisprudence will grow and improve.  What is important that it is the most effective legislation at a state level and does give those who are aggrieved a real course of action.

The article provides:

Police are investigating a second major privacy breach at a Melbourne high school which saw the personal information of families illegally accessed by a student.

The breach at Camberwell High School follows a similar but unrelated incident at Blackburn High School two weeks ago where the personal information of families was illegally obtained and published online.

The breaches have left parents feeling vulnerable and raised questions about how the Department of Education and individual schools deal with cyber security issues.

A Department of Education spokesman on Monday confirmed a student at Camberwell High School gained unauthorised access to Compass – a school management software system – and accessed the personal information of families.

Blackburn High School fell victim to a similar attack two weeks ago when an individual illegally accessed Compass and shared the personal information of families online, including their addresses, phone numbers, dates of birth and medical conditions.

A scam email masquerading as a letter from Blackburn High School principal Joanna Alexander was also sent to parents, asking them to submit their credit card details.

Police are speaking to one person of interest in relation to the incident. It is unclear if they are also a student.

Tania Andrusiak, whose son is in year 8 at Blackburn High School, said she was still waiting to hear from someone at the school after her entire family’s details were published online.

Principals at both schools have failed to return multiple calls from Fairfax Media.

Ms Andrusiak said she felt “sick” when learning of the privacy breach and said all her concerns about identity theft and fraud had been dismissed.

She said her repeated calls to the school went unreturned.

Compass Education also declined to provide information about the hacking, saying the matter was now a police investigation.

“The school has done absolutely nothing, not even passing on information. There has been completely no support,” Ms Andrusiak told Fairfax Media.

“The school hasn’t called us to say this is what to do if you’re approached by anybody or if fraudulent accounts are set up with your information. There’s just nothing. It’s been a brick wall.”

A message sent to Blackburn High parents about the breach.A message sent to Blackburn High parents about the breach.  

Ms Andrusiak, who has a background in cyber safety, said she was concerned her son’s personal information could have fallen into the hands of a predator.

“I just felt really sick. You don’t know who has obtained that information.”

The hacking was not addressed in a newsletter sent out following the privacy breach and students were reportedly told by teachers the breach was “nothing to worry about”.

The only way Ms Andrusiak discovered where and what personal information had been revealed was through repeated calls to the Department of Education.

Department of Education spokesman Alex Munro said work was being done to prevent Compass being breached again.

“The department has identified how the student gained access to school computers and is following up with all schools to ensure this cannot happen anywhere else.”

Mr Munro said Camberwell High School families affected by the breach were contacted immediately and a school-wide letter was sent out.

Ms Andrusiak said a hotline established for parents was of little help and was manned by a Department of Education employee who was responsible for physical security at schools, not cyber security.

“He just sounded completely out of his depth and didn’t understand the terms I was mentioning or have any sense of what was going on. I couldn’t believe I’d been put on to this guy.”

She said she spoke to her son about what to do if someone he didn’t know contacted him but said schools needed to become more involved in cyber safety.

“They haven’t given any support at all. It’s been worse than useless. That makes me really, really mad. I’ve had just silence. I feel like I’ve completely lost faith with that school.”

One Response to “Camberwell High School suffers major privacy breach…Victorian Government exposed to action by parents and students under the Privacy and Data Protection Act 2014”

  1. Camberwell High School suffers major privacy breach…Victorian Government exposed to action by parents and students under the Privacy and Data Protection Act 2014 | Australian Law Blogs

    […] Camberwell High School suffers major privacy breach…Victorian Government exposed to action by pare… […]

Leave a Reply

Verified by MonsterInsights