Melbourne TAFE data breach exposes 55k student, staff files

The personal information of students and staff from one of Victoria’s largest TAFEs has been accessed in a data breach that exposed more than 50,000 files held on the institute’s IT systems.

Melbourne Polytechnic's Preston Campus

Melbourne Polytechnic disclosed the “highly complex” data breach, which occurred sometime between September and December 2018, on Wednesday after extensive forensic analysis.

It said it was notified of the “data theft” in October 2019 following an investigation by Victoria Police and has spent the past months working to determine the extent and scale of the breach.

The individual allegedly responsible for the breach has been charged by police, with a trial expected later this year.

The breach has affected students, staff and suppliers whose details were held on Melbourne Polytechnic’s IT systems between September and December 2018.

A spokesperson told iTnews that around 90,000 individuals have been impacted by the breach.

Forensic analysis has concluded that 55,000 files containing personal, health and financial data were accessed. The system containing student performance records was not impacted.

For the majority of affected individuals, access was gained to their Melbourne Polytechnic usernames, passwords and email addresses.

“It is possible that any information held in those Melbourne Polytechnic accounts at that time was exposed,” the institute said.

But it also warned that “a small number of people” may have also had passport, driver’s licence, credit or debit card, superannuation account, tax file number and Medicare details accessed.

Melbourne Polytechnic said it has begun contacting affected individuals whose personal data was accessed in the breach.

A personalised summary of the specific types of information that was access has been included for each affected individual.

In a statement, Melbourne Polytechnic CEO Frances Coppolillo apologised to staff, students and suppliers affected by the breach

“On behalf of Melbourne Polytechnic, I offer my sincere apologies to all the people affected by this data breach,” she said.

“In sharing your information, you expected us to keep it safe and I am sorry that we were not able to do so.

“We are deeply sorry for the impact that the theft of this personal data might have.”

Coppolillo said the institute had conducted an independent review of its cyber security procedures in light of the breach and was currently “implementing a range of improvements including software and hardware upgrades to better protect our IT systems”.

“This data breach was highly complex in nature and it has taken many months to fully understand its scale and impact, including identifying the names and contact details of the people affected and the details of how they were impacted by the breach,” she said.

“With the forensic analysis now complete, we have acted as quickly as possible to notify affected individuals and to support them to take the actions needed to protect themselves.

“I would also like to apologise for the length of time it has taken us to be able to share this information with the people concerned.”

Update 3:20pm: To include additional information on the number of individuals affected by the breach.