Scouts Victoria has notified approximately 900 individuals whose personal details may have been accessed by third parties when staff email inboxes were breached.
The data breach, which Scouts Victoria said was “most likely” the result of a phishing attack, was identified by the organisation’s IT team in July and August this year.
Scouts Victoria said that it engaged digital forensic and cyber security experts to investigate the incident and data involved in the breach after the IT team initially identified and blocked the unauthorised activity.
The “extensive” investigation found that sensitive information including residential addresses, credit card information, driver's licence numbers, birth certificates, criminal history information and court orders may have been accessed.
The data was stored as part of correspondence between Scouts Victoria and “a number of individuals” associated with the organisation.
“We have contacted individuals who we know may have been directly affected by this incident and will continue to work with them to address their concerns,” Scouts Victoria said in a statement.
The Office of the Australian Information Commissioner (OAIC) and Services Australia were also notified of the breach.
Scouts Victoria said the organisation has since “taken steps to ensure that incidents like this don’t reoccur”.
“We take our privacy obligations very seriously and are investing significant resources into investigating the source of the incident.
“While all affected members have been notified, we encourage anyone who has questions to contact Scouts Victoria and we can address any concerns they may have.”
The following information was identified in staff correspondence, and may have been accessed in the breach:
The data that we saw relating to individuals included:
- First name
- Last name
- Phone number
- Email address
- Residential address
- Date of Birth (DOB)
- Credit card information (full)
- Credit card information (partial)
- Tax File Number (TFN)
- Bank details (BSB and account number)
- Bank card
- Driver’s licence
- Other government-issued ID (i.e. Photo card)
- Working with children card
- Birth certificate
- Australian Electoral Commission information
- Medicare card
- Signatures (handwritten)
- Sensitive criminal history information
- Scouts membership number
- Court orders (including pertaining to parenting)
The Australian Competition and Consumer Commission's Scamwatch has received almost 24,000 reports of phishing scams in Australia so far this year, over 4200 of which were reported in August.