Xavier College data breach…how not to handle notification
November 24, 2022 |
Xavier College’s notice of a data breach has resulted in some no doubt unwanted publicity. Data breach stories are low hanging fruit for journalists. Often the story is the notice with a brief quote from the organisation and sometimes another quote from an “expert” keen for the publicity. It is hard not being cynical about the way these stories are covered. But that is the landscape but there are ways to keep the damage to a minimum in many cases.
The best starting point is to provide notice promptly and be as open and transparent as possible without drowning the reader with undigestible technical data. By the same token the notice should not be evasive and vague. Xavier’s notice of a data breach, which I posted on 2 days ago was quite inadequate and the handling of the data breach was also far from effective, Xavier thought not to notify affected individuals until it became aware that the hacker might disclose the information, months after it was stolen. How it could have worked on the basis that a hacker would not do something with the data is difficult to understand. It is beyond naive.
Under the Data Breach Notification Regime an organisation can effectively self assess, determining if there is a risk of serious harm. It is a wholly unsatisfactory system. The downside for erring on the side of non disclosure kicks in when circumstances change and disclosure becomes necessary. As occurred here with Xavier determining out that the data might be released. Xavier has not explained how it came to come to that conclusion and what the release might involve. It continues to maintain secrecy. A mistake.
The saga is covered by the Age with Xavier College says stolen student data might be released after hack. It provides:
Hackers have threatened to publish the personal information of current and prospective students of Xavier College online after a cyberattack, the school says.
The hack took place in June, but the school waited until this week to inform the families after it deemed that the number of people whose information had been stolen was much greater than it first thought.
The Catholic boys’ college said that when a key administrative staff member was hacked four months ago, it believed just 45 students were exposed, but it confirmed on Tuesday that more than 100 students or their family members had sensitive information, including birth certificates, visa applications, parenting arrangements and financial information, stolen.
The college said it initially kept the security breach secret from the wider school community because it had no evidence the stolen data would be misused or publicly disclosed.
“Then, in late October, it came to our attention that an unauthorised third party may disclose details of these mailbox contents,” a school spokesman said.
“The college has now taken steps to re-assess the original data and re-evaluate the risk parameters to consider whether any further individuals have been affected.
“As we did in June, immediate notification to specific individuals is occurring, while our wider school community has also been informed. The college network, learning and database systems remain secure.”
Members of the school community received a warning on Tuesday that their information might have been compromised, with the hacker gaining access to an email account that includes information relating to students’ and families’ finances, admissions, fundraising, scholarships, pastoral care and – for a small cohort of individuals – health information.
The school said no academic data was stolen.
“When the college initially became aware of the incident, we had no evidence to suggest that the contents of the email account would be misused or publicly disclosed,” the letter says.
“Notwithstanding this, in July 2022 we provided precautionary notifications to 45 individuals whose at-risk personal information was located in the email account.
“Based on the recent threat of data disclosure, we have expanded the scope of our assessment to identify whether there was any other information located in the email account that related to our students, staff or broader community.”
Xavier students are not the first to be exposed to a data breach this year.
Early this month, it emerged that technology company PNORS, which works with six different state departments including the Department of Education and Training, had been hacked, potentially exposing the personal data of thousands of students.
The Xavier hack was reported to the Office of the Australian Information Commissioner and the Australian Cyber Security Centre in June, the college said.