On January 1, employees of the State of Victoria in Australia received the unwelcome distinction of receiving what appears to be the first data-breach notification of 2019. According to ABC News, employees received an email on January 1 informing them that on December 22, 2018, “an unauthorized third party accessed and downloaded a partial copy of the Victorian government employee directory, which identified approximately 30,000 public service staff and contractors. It appears the third party accessed the list after compromising an employee’s email account.”
The email also stated that the list is available to Victorian government employees and contains work emails, job titles, and work phone numbers, and that their mobile phone numbers may have also been accessed if they were in the directory. As a result of the breach, employees were further informed, “you may experience increased phishing, spam and social engineering attempts via your work email address and telephone numbers,” adding ,”As always, you should be aware of these risks and remain vigilant when it comes to unsolicited communications via email and telephone.”
Note: In response to the breach, the Victorian Premier’s Department stated that it had referred the breach to Victoria police, police, the Australian Cyber Security Centre, and the Office of the Victorian Information Commissioner for investigation. A Department spokesperson stated that the Government “will ensure any learnings from the investigation are put in place to better protect against breaches like this in the future.”
The Victorian government, however, should not wait for the investigation’s conclusion to take action. At a minimum, given the statement that the hacker had compromised an employee’s email account and then accessed the employee list, it needs to send a reminder to all government employees that forcefully stresses the importance of always refraining from clicking on links in emails from sources unknown to them. To be sure, internalizing that message can be difficult for people in any organization who receive hundreds of emails each day at work. Moreover, anyone who is not knowledgeable about current cybercrime exploits and techniques may find it difficult to believe that a moment’s carelessness can lead to compromise of an entire network or database.
For that reason, the government should consider special training, such as a webinar required for employees in all Victorian departments, that can show people how easily such compromises can occur and how severe the consequences can be for themselves, their colleagues, and their department. In addition, even though the employee list reportedly did not include employee banking or financial information, the government needs to act sooner rather than later in placing tighter access controls around that list. Chief information security officers and chief counsels in all Victorian departments need to coordinate their efforts in deciding on and implementing such controls to reduce the risks of future breaches.
Finally, other Australian state governments, as well as Commonwealth departments, should take this opportunity to disseminate similar messages to their employees and to review the adequacy of their own data-protection procedures and processes and cybersecurity training. The challenge in this case, as with any data breach, is not identifying the most important lessons to be learned, but rather communicating those lessons in ways that effect meaningful changes in employee behavior.