[BreachExchange] Third Party Accessed Victorian Government Directory

[Destry Winant]

https://www.infosecurity-magazine.com/news/third-party-accessed-victorian/

A list of employee names, work phone numbers and job titles available
to government employees through the Victorian Government directory was
reportedly accessed by an unauthorized third party. According to the
Australian Broadcasting Corporation (ABC), information on
approximately 30,000 Victorian public servants was stolen in a data
breach, after an unknown party downloaded a portion of the directory.

Employees that might have been impacted were notified via an email
message which explained: "Because of this incident you may experience
increased phishing, spam and social engineering attempts via your work
email address and telephone numbers. As always, you should be aware of
these risks and remain vigilant when it comes to unsolicited
communications via email and telephone," ABC reported.

The breach was reported to the police, as well as to the Australian
Cyber Security Centre and the Office of the Victorian Information
Commissioner. In addition, a spokesperson for the Premier’s Department
said in a prepared statement: “The Government will ensure any
learnings from the investigation are put in place to better protect
against breaches like this in the future.”

Even though the breach occurred in 2018, it is Australia’s first
breach announcement for 2019. As security professionals prepare for
the cyber challenges that the new year will bring, organizations
around the globe are focusing on tightening up their privacy
regulations and controls in the wake of back-to-back data breaches.

However, while businesses increasingly tend to privacy policies and
compliance requirements, “accidents” remain common. These accidental
privacy missteps can lead to the exposure of confidential, corporate
or sensitive data, yet they are often a result of human error or a
lapse in clear thinking due to the fast-pace, intense nature of
certain work circumstances.

The investigation into the breach of the directory remains ongoing,
and it is too early to say what happened; however, Adnan Dakhwe, head
of security and compliance at Vera, said that corporations are often
challenged when it comes to keeping pace with employee turnover, a
common innocent mistake that can jeopardize the integrity of data,
regardless of security measures and policies in place.

“Too often organizations stall in revoking access to sensitive files
and corporate folders, once employees have parted ways with the
organization. Keeping access permission updated in real time is
essential to ensure private data isn’t jeopardized,” Dakhwe said.