SPELD Victoria notifies Information Commissioner (OAIC) of a data breach 29/11/2019

Dear Members of the SPELD Victoria Community

Further to our recent email regarding a virus that breached our system, and subsequent spam email activity, we are writing to provide you with an update.

SPELD Victoria has informed the Office of the Australian Commissioner (OAIC) of this breach.   The statement to the OAIC is outlined below.

SPELD Victoria sincerely apologizes for any inconvenience caused and encourages the SPELD Victoria community to remain vigilant to spam emails and alert us if you receive any suspicious emails from us.

We have also reviewed our broader security measures, in line with the steps below.  

If you have any further questions, please contact us on 9480 4422. 

Statement to the Office of the Australian Commissioner (OAIC) – 29/11/2019

Organisation/agency name         SPELD Victoria Inc

Phone                                                   9480 4422

Email                                                     admin@speldvic.org.au

Address                                               Level 3, 673 Bourke Street, Melbourne, Vic 3000

Description of the eligible data breach

On 30/10/19 staff noted encrypted files on desktops and some program files on servers.  The ransomware virus (RYUK) was identified. The encryption process was stopped by our anti-virus software. 

All computers were shut down immediately.  Our IT providers re-built all computers; restored the server to pre-infected state; replaced the firewall with an active geographical location filter; changed all passwords; and SPELD Victoria sent a warning email to staff and clients.

Subsequently, on 7/11/19 some of our clients indicated to us that they were receiving spam emails from a member of our staff, containing an infected email attachment.  The sender uses a non-SPELD Victoria address but pretending to be a SPELD Victoria staff member.

Concern expressed by client that the staff member’s admin email account had been compromised and may be disclosing private and confidential information.

Information involved in the data breach

Kind or kinds of personal information involved in the data breach

As the peak Victorian body for Specific Learning Difficulties, SPELD Victoria undertakes diagnostic assessments and provide reports which contain personal and sensitive information. When the reports are finalised we send them out to the clients in pdf format. 

It is possible but not confirmed that some emails may have been intercepted and the reports accessed. 

Diagnostic assessment reports include personal data and results of tests such as cognitive (IQ) results; various literacy and numeracy assessments, comprehension, and working memory which collectively provide a comprehensive educational profile and identify if there is a Specific Learning Disability such as dyslexia. 

In addition, please select any categories that apply:

√ Contact information (e.g. home address, phone number, email address)

√ Health information

Recommended Steps

  • Advise staff and clients not to open any suspicious files or attachments.
  • Advise staff and clients to check received emails from the SPELD Victoria admin account, to ensure it has a legitimate SPELD Victoria address (admin@speldvic.org.au) and not to open any attachments coming from past staff members with a different address.
  • Phone anyone who has alerted SPELD Victoria that they are receiving spam emails from SPELD Victoria
  • Implement encryption procedure for all future diagnostic reports being sent out to clients.

Other entities affected