Following an independent external cyber security investigation, RSPCA Victoria has found that customers’ and some staff and volunteer information was unlawfully accessed by unknown parties during a highly sophisticated cyber attack.
RSPCA Victoria sincerely regrets any concern or disruption caused by the incident.
In the past 18 months there has been an acceleration in cyber security attacks across the globe - particularly as workplaces transitioned to remote working. Despite having robust security processes and systems already in place, RSPCA Victoria was targeted by unknown parties who illegally accessed data.
While no financial details or passwords were compromised, the IT investigation found the unknown parties illegally accessed some details including names, addresses, date of birth and driver licence numbers.
RSPCA Victoria CEO, Dr Liz Walker, said that the organisation was treating the incident very seriously, and has set up a dedicated data breach hotline to assist affected individuals with any queries. The hotline number is 03 9224 2202 (Monday to Friday from 8.30am – 4.30pm AEST).
“The security of our information is incredibly important to helping achieve our goal of ending cruelty to all animals. Our community is at the heart of our organisation and their confidence is critical to our ongoing work in animal welfare,” said Dr Walker.
“We have responded quickly by conducting a thorough investigation and have taken important steps to bolster the security of our technology systems to help prevent any similar incidents happening in the future.”
RSPCA Victoria contacted all impacted individuals on 26 May 2021 to alert them to the data breach and provide guidance on how to protect their personal information.
RSPCA Victoria has reported the incident to Victoria Police, the Office of the Australian Information Commissioner and the Australian Cyber Security Centre, and is committed to cooperating with their investigations. The Australian Cyber Security Centre reference number for this matter is ACSC-2107.
RSPCA Victoria has become aware of a cyber security incident that affects the data of a number of our customers including information provided to us while completing an online adoption form. Those impacted have been contacted directly and the below information details our response and provides tips on how to protect personal data.
Please contact our dedicated hotline (03 9224 2202).
Alternatively, if you are concerned about the potential misuse of your personal information, we have arranged free support from IDCARE, Australia’s national identity and cybersecurity community support service. Please engage an IDCARE Case Manager via IDCARE’s Get Help Web Form here. if you have broader identity security concerns. Alternatively you may visit IDCARE’s Learning Centre for further information and resources on protecting your personal information. IDCARE’s services may be accessed by providing referral code RSP21-IDC when completing its Get Help Web Form.
The Australian Government Office of the Australian Information Commissioner (OAIC) provides the following information:
Examples of serious harm include:
An organisation or agency must also tell the OAIC about a serious data breach. Generally, an organisation or agency has 30 days to assess whether a data breach is likely to result in serious harm.
When a data breach occurs, the OAIC expects an organisation or agency to try to reduce the chance that an individual experiences harm. If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency doesn’t need to tell the individual about the data breach.More information is available here: https://www.oaic.gov.au/privacy/data-breaches/
To help protect yourself from identify theft, or determine whether this has already occurred, advise that you apply for a free credit report and a credit ban from one of the following Australian Credit Reporting Agencies:
Both the free credit report and credit ban can be ordered online and the process is straightforward and not time consuming.
Once you have the credit report, please view to ensure there are no recent activities or lines of credit (i.e. credit cards, loans etc) that you are not aware of.
We have reported the breach to the Australian Cyber Security Centre (ACSC). The ACSC Reference Number is ACSC-2107.
Your credit ban is initially in place for a 21-day period. We encourage you to extend the credit ban beyond 21 days.
To do this, please quote the ACSC Reference Number ACSC-2107 in the credit ban instructions, as this will enable the credit agency to extend the credit ban beyond the initial 21-day ban period.
In addition, as previously advised, we request as a matter of urgency that you:
The investigation by an external cyber security expert was unable to determine if this information was downloaded or recorded. However, there remains the possibility that unknown parties could use these details for harmful activity such as identity fraud.
Your personal details were accessed by these unknown parties and may remain accessible. However, typically if identify fraud is to occur it happens very soon after the information was accessed. This is because malicious users know that people’s personal details can change so they will try to use them as soon as possible.
By applying for a credit report and credit ban you can see whether your details have been used for identity fraud and prevent it from happening in the future. Before you do this, we recommend you call one of the helplines listed.
You can call our friendly Customer Care team to enquire about the animals we have on site and book an appointment.However, we will still need to take note of your details in our system to ensure we can match you with the right animal and can report on all customer interactions.
Yes, we will continue to keep you updated on the section of our website addressing this issue www.rspcavic.org/databreach and will also keep you updated via email.
Unfortunately, in these situations, the perpetrator is often not caught so we cannot guarantee we will be able to provide you with this update.