SPELD Victoria notifies Information Commissioner (OAIC) of a data breach 29/11/2019

Dear Members
of the SPELD Victoria Community

Further to
our recent email regarding a virus that breached our system, and subsequent
spam email activity, we are writing to provide you with an update.

SPELD
Victoria has informed the Office of the Australian Commissioner (OAIC) of this
breach.   The statement to the OAIC is
outlined below.

SPELD
Victoria sincerely apologizes for any inconvenience caused and encourages the
SPELD Victoria community to remain vigilant to spam emails and alert us if you
receive any suspicious emails from us.

We have
also reviewed our broader security measures, in line with the steps below.
 

If you have
any further questions, please contact us on 9480 4422. 

Statement to
the Office of the Australian Commissioner (OAIC) – 29/11/2019

Organisation/agency
name        
SPELD Victoria Inc

Phone                                                   9480
4422

Email                                                     admin@speldvic.org.au

Address                                               Level 3, 673 Bourke Street, Melbourne, Vic 3000

Description of
the eligible data breach

On
30/10/19 staff noted encrypted files on desktops and some program files on
servers.  The ransomware virus (RYUK) was
identified. The encryption process was stopped by our anti-virus software. 

All
computers were shut down immediately. 
Our IT providers re-built all computers; restored the server to
pre-infected state; replaced the firewall with an active geographical location
filter; changed all passwords; and SPELD Victoria sent a warning email to staff
and clients.

Subsequently,
on 7/11/19 some of our clients indicated to us that they were receiving spam
emails from a member of our staff, containing an infected email
attachment.  The sender uses a non-SPELD
Victoria address but pretending to be a SPELD Victoria staff member.

Concern
expressed by client that the staff member’s admin email account had been compromised
and may be disclosing private and confidential information.

Information
involved in the data breach

Kind or kinds of personal information
involved in the data breach

As
the peak Victorian body for Specific Learning Difficulties, SPELD Victoria
undertakes diagnostic assessments and provide reports which contain personal
and sensitive information. When the reports are finalised we send them out to
the clients in pdf format. 

It
is possible but not confirmed that some emails may have been intercepted and
the reports accessed. 

Diagnostic
assessment reports include personal data and results of tests such as cognitive
(IQ) results; various literacy and numeracy assessments, comprehension, and
working memory which collectively provide a comprehensive educational profile
and identify if there is a Specific Learning Disability such as dyslexia. 

In addition, please select any categories
that apply:

√ Contact information (e.g. home address, phone number,
email address)

√ Health information

Recommended
Steps

  • Advise staff and
    clients not to open any suspicious files or attachments.
  • Advise staff and
    clients to check received emails from the SPELD Victoria admin account, to
    ensure it has a legitimate SPELD Victoria address (admin@speldvic.org.au) and not to open any attachments coming from past staff
    members with a different address.
  • Phone anyone who has
    alerted SPELD Victoria that they are receiving spam emails from SPELD Victoria
  • Implement encryption
    procedure for all future diagnostic reports being sent out to clients.

Other entities affected

No.