Data Breach Public Notification Register

Date the breach occurred

1 October 2024

Description of the breach

Single mailbox in Tourism Department compromised. Email was used to send spam. Data within mailbox accessible by cybercriminal.

How the breach occurred

Staff member fell victim to a phishing email.

Type of breach that occurred

Business Email Compromise

Personal information that was the subject of the breach

Financial Details, Tax File Number, Identity Information, Contact Information, Health Information.

Amount of time the personal information was disclosed for

Cyber Criminal had access to the mailbox for one (1) week, however data could have been exfiltrated from mailbox.

Actions that have been taken or are planned to ensure the personal information is secure, or to control or mitigate the harm done to the individual

Access to the mailbox was revoked as soon as it was breach was identified.

Mailbox was analysed to identify the extent of the data accessed.

Internal processes have been updated to prevent public facing staff (Visitor Centre, Community Hub) from scanning documents on behalf of the Public.

Internal forms and processes have been updated to ensure New Supplier Forms are removed from mailbox after processing.

Staff to undertake additional cyber awareness training.

Notify affected individuals.

Recommendations about the steps the individual should take in response to the eligible data breach

1. Advice to replace identity documents.
2. Advice to close financial accounts and monitor for unauthorised transactions.
3. Advice to closely scrutinise incoming emails or phone calls for any suspicious activities.
4. If concerned about identity theft, contact  IDCARE, the National Identity and Cyber Support Service
5. if requiring further information, contact the nominated Council officer using the supplied contact details.