Dear Members of the SPELD Victoria Community
Further to our recent email regarding a virus that breached our system, and subsequent spam email activity, we are writing to provide you with an update.
SPELD Victoria has informed the Office of the Australian Commissioner (OAIC) of this breach. The statement to the OAIC is outlined below.
SPELD Victoria sincerely apologizes for any inconvenience caused and encourages the SPELD Victoria community to remain vigilant to spam emails and alert us if you receive any suspicious emails from us.
We have also reviewed our broader security measures, in line with the steps below.
If you have any further questions, please contact us on 9480 4422.
Statement to the Office of the Australian Commissioner (OAIC) – 29/11/2019
Organisation/agency name SPELD Victoria Inc
Phone 9480 4422
Address Level 3, 673 Bourke Street, Melbourne, Vic 3000
Description of the eligible data breach
On 30/10/19 staff noted encrypted files on desktops and some program files on servers. The ransomware virus (RYUK) was identified. The encryption process was stopped by our anti-virus software.
All computers were shut down immediately. Our IT providers re-built all computers; restored the server to pre-infected state; replaced the firewall with an active geographical location filter; changed all passwords; and SPELD Victoria sent a warning email to staff and clients.
Subsequently, on 7/11/19 some of our clients indicated to us that they were receiving spam emails from a member of our staff, containing an infected email attachment. The sender uses a non-SPELD Victoria address but pretending to be a SPELD Victoria staff member.
Concern expressed by client that the staff member’s admin email account had been compromised and may be disclosing private and confidential information.
Information involved in the data breach
Kind or kinds of personal information involved in the data breach
As the peak Victorian body for Specific Learning Difficulties, SPELD Victoria undertakes diagnostic assessments and provide reports which contain personal and sensitive information. When the reports are finalised we send them out to the clients in pdf format.
It is possible but not confirmed that some emails may have been intercepted and the reports accessed.
Diagnostic assessment reports include personal data and results of tests such as cognitive (IQ) results; various literacy and numeracy assessments, comprehension, and working memory which collectively provide a comprehensive educational profile and identify if there is a Specific Learning Disability such as dyslexia.
In addition, please select any categories that apply:
√ Contact information (e.g. home address, phone number, email address)
√ Health information
Other entities affected