Xavier college suffers data breach in June, finds out in October that someone was trying to do something with the data and sends out notification today…Not best practice.
November 22, 2022 |
Xavier College in Melbourne has suffered a data breach. A notice went out today to Old Xaverians (past students of Xavier who have kept a connection with the school).
It appears that entry occurred through an email account of an employee. A fairly standard entrepot. Given that led to access to other details it is possible that the hacker obtained credentials to move within the system. Or alternatively the system was wide open and permitted unimpeded movement throughout the system. When that happened is not made clear. It was discovered some time in June. Then in late October Xavier found that that an unauthorised third party “may disclose details of these mailbox contents.”
Notifications in the United States have become something of an art form, balancing being as transparent as possible, giving as much information as practical but not overwhelming the reader. Often the complete picture of what happened is not fully known at the time a notification needs to be sent out. I have read many such notices and getting it right is important.
The notice from Xavier College is not very good. Putting aside the awful prose it begs more questions than it answers. The events in October are described in terms that leaves the impression that the author is being evasive. The letter tries to cover the necessary issues but is vague and woolly when it should be specific and precise, particularly about what happened to the data. Apparently some members were previously contacted by the College. Which begs the question as to why the letter, drafted as a notification of a data breach, was sent only now? As the Optus and Medibank data breaches show, the initial notice can at least partially smooth the difficult path ahead or throw more boulders onto the roadway.
At best this Notice is a not terribly good first draft.
The letter provides:
In June this year, Xavier College became aware that the email account of one of its employees had been subject to unauthorised access by an unknown third party.
The College immediately notified any members of our community directly affected by the unauthorised access.
In late October it came to our attention that an unauthorised third party may disclose details of these mailbox contents.
On each occasion, the College undertook the following steps in response:
Engaged cyber security experts to provide an in-depth investigation
• Took steps to ensure the incident was contained and that our network and data systems had not been adversely impacted and were secure
• Conducted a review of the individual’s Mailbox contents to identify any individuals who may have been at-risk
• Notified any members of our community potentially affected by the data breach
• Consolidated ongoing training for staff and students around cyber vigilance and online safety
We also notified the Office of the Australian Information Commissioner and Australian Cyber Security Centre of the incident.
The College has now taken steps to re-assess the original data and consider whether any further individuals may have been affected.
As in June, immediate notification to specific individuals is occurring.
As you will be aware, there has been a proliferation of cyber attacks and data security issues (including a number of other schools) reported over recent months.
As a general reminder, we attach recommendations for steps you can take to protect your personal information (see “Steps you can take to protect against potential data misuse”).
Please remain vigilant regarding your online security and ensure you do not open any suspicious emails or links.
If you have any questions or require support regarding this matter, please utilise our dedicated email at cyber@xavier.vic.edu.au
Steps You Can Take to Protect Against Potential Data Misuse
What can I do to protect my personal information?
• be aware of email, telephone and text-based scams and refrain from sharing your personal information until you are certain about who you are sharing it with;
• enable multi-factor authentication for your online accounts where possible;
• ensure you have up-to-date anti-virus software installed on any device you use to access your online accounts;
• take note of what is called a ‘Uniform Resource Locator’ or ‘URL’ when on a webpage which is asking for your login credentials. This is located in the address bar of your web browser and typically starts with ‘https://’. If you are suspicious of the address, do not provide your login details and contact your service provider to ensure you are logging into the correct page;
• do not open suspicious texts, pop-up windows or click on links or attachments in emails – delete them;
• do not respond to phone calls about your computer asking for remote access; and
• choose passwords that would be difficult for others to guess and update them regularly. A strong password should include a mix of upper and lower-case letters, numbers and symbols. Do not use the same password for every account/profile, and don’t share your passwords with anyone.
For further guidance around securing your personal information and protecting yourself from scams, we encourage you to utilise these resources:
• https://www.cyber.gov.au/acsc/view-all-content/publications/easy-steps-secure-your-online-information
• https://www.scamwatch.gov.au/get-help/protect-yourself-from-scams/
• https://www.oaic.gov.au/privacy/your-privacy-rights/tips-to-protect-your-privacy/