Notification of data breach

Notification of data breach
Home > Notification of data breach

Late last year, the information technology (IT) system of St Anne’s School, Kew East, was accessed by an unauthorised third party.

Working closely with the school and a team of cybersecurity experts, Melbourne Archdiocese Catholic Schools (MACS) began the process of forensically identifying the nature and extent of this unauthorised access.

The forensic audit has identified that the unauthorised third party may have had access to the data held by the school on its current and former staff, and current and former students and their families.

The advice we have received is that it is unlikely the unauthorised third party accessed this data or copied it from school systems.

However, given the complex nature of the attack, we are unable to confirm that with absolute certainty.

What information was affected?
Based on our investigation, your personal information that may have been affected by this incident includes:

  • full name
  • home address
  • contact details (including phone number/s and email address)
  • financial information (including credit card details).

It also includes the following information about your child:

  • full name and date of birth
  • photographs of them in school environments (for example, yearly school photos)
  • nationality
  • guardian and carer details
  • emergency contact information
  • medical conditions (including allergies), medical provider and Medicare details
  • disability details
  • private health insurance details.

If you are or were a staff member at St Anne’s School, the following information may be affected:

  • full name and date of birth
  • home address
  • contact details (including phone number/s and email address)
  • signature
  • employment details, including salary, date you were hired and employee class
  • financial information, such as tax file number, superannuation, bank account details (BSB and account number) and novated leasing agreements
  • health information, including your COVID-19 vaccination certificate and Individual Healthcare Identifier.

What have we done in response to the breach?
With the support of the school’s IT vendors, and MACS and its team of cybersecurity experts, the school’s systems, security settings and IT procedures have been further strengthened against future unauthorised cyber attacks.

MACS has provided the Australian Cyber Security Centre (ACSC) with specific technical details of the attack to assist with improving cybersecurity across all organisations. No student or staff information is provided to the ACSC.

The Office of the Australian Information Commissioner (OAIC) has been notified of this unauthorised access, as required by Australian privacy law.

What does this mean for you?
We strongly encourage you to carefully review the information that may have been affected by this incident and consider taking the following steps to protect yourself:

  • Look out for emails and telephone calls from people requesting your personal details (especially your date of birth, residential address, email address, username or passwords, which are often used to verify your identity).
  • Immediately change any passwords used on school systems that you have reused elsewhere.
  • Contact IDCARE on 1800 595 160 or visit www.idcare.org for additional guidance on the steps you can take to protect yourself from identity fraud. IDCARE has expert case managers who can work with you to address concerns in relation to personal information risks and any instances where you think your information may have been misused. IDCARE’s services are at no cost to you. Note that IDCARE specialist case managers are available from 9 am to 6 pm AEDT Monday to Friday, excluding public holidays. When engaging IDCARE, please use the referral code MACS23.
  • If you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call Register’ by visiting www.donotcall.gov.au/consumers/register-your-numbers. You can also contact your service provider and request to change your number.

Some individuals may also have had their financial information impacted. If you have provided financial details to St Anne’s School in the past, you should consider:

  • alerting your financial institution so that it can implement additional monitoring and security protocols on your account
  • closely monitoring your financial statements for unauthorised transactions. If you identify a transaction you didn’t make, report it immediately to your financial institution
  • changing your online bank account password and PIN, and enabling multi-factor authentication if possible
  • contacting Australia’s three credit reporting agencies (Equifax, illion and Experian) to confirm if your identity has been used to obtain credit without your knowledge or to ask for a credit ban to be put in place
  • contacting the Australian Taxation Office on 1800 467 033 and your superannuation fund, so that they can consider placing additional monitoring and security protocols on your account.

More information
If you have any concerns about the potential misuse of your information, please contact IDCARE using the instructions above.

If you would like more information about what has happened at St Anne’s School, please contact the school on 03 9859 4116.

For further details about the specific information of yours that may be affected, please email csinformation@macs.vic.edu.au and you will be contacted by a representative of MACS.

The OAIC is also available if you wish to provide feedback on this matter via www.oaic.gov.au/privacy/privacy-complaints.

We unreservedly apologise for this inconvenience and appreciate your understanding as we have responded to this incident.

Yours sincerely

Mirijana Jovic
Director, Finance and Infrastructure Services

© Melbourne Archdiocese Catholic Schools Ltd