By Sahar Foladi and Ethan Benedicto
City of Greater Dandenong is one of many Victorian councils impacted in a data breach involving service provider Oracle CMS back in April.
According to council, approximately 3000 council records were affected as a result, related to after-hour phone calls in specific periods in 2010, 2016 and a period over 2020-’21.
A council spokesperson said council was made aware of a cyber-security incident involving Oracle CMS.
“Council’s own systems and databases have not been accessed. This data breach relates to Oracle CMS systems only.
“On learning of the breach, we immediately suspended part of the Oracle CMS service and brought in-house until we were confident that all risks had been adequately mitigated.
“We have been in close liaison with relevant Victorian Government authorities, Oracle CMS and other councils while the matter was thoroughly investigated.”
Council uses the third-party service provider for its after-hours phone call service, where Oracle takes calls on behalf of the Council.
“Depending on the issue, Oracle CMS may provide information, pass on messages or contact council duty staff. Oracle CMS provides this service for many local councils across Victoria,” the Greater Dandenong spokesperson said.
Deakin University professor and director of Centre for Cyber Resilience and Trust, Robin Doss, said that overall community confidence on organisations’ ability – councils included – would be impacted by these data breaches.
“This is a classic example of what we term as a supply chain risk and a supply chain compromise.
“So it’s, in a sense, OK for some councils to say our own systems haven’t been breached, but their responsibility now extends beyond that as well.
“In a sense it sort of places an onus on government agencies, broadly, that handle citizen data to not just look at how they manage the protection of information in their own internal systems, but also across their supply chains.
“When they enter into these sorts of relationships, some of the questions that they should be asking is around what security measures are in place to ensure that information that might be shared for the provision of services on their behalf is protected as well.”
Baw Baw Shire Council, alongside the City of Monash and the City of Whittlesea, are the most recent to report similar breaches, which all occurred in early June while City of Casey and Greater Dandenong Council remained unaffected.
Council said it will commence contacting affected people from the April breach.
The breach in April was done by ransomware group Lockbit which resulted in the unauthorised access and publication of 60GB of data.
The data leak came after a ransom demand set for 16 April 2024 was not met by OracleCMS.
“The data released is limited to what was provided during the call. In most cases this is name and phone number, and in some cases, the reason for the call.
“Council takes the privacy of our customers very seriously, including where customer information is being handled by third-parties.”
Victorian councils including Whitehorse City Council, Merri-bek City Council, Mitchell Shire Council, South Gippsland Shire Council and Yarra City Council, among others, were all victims of the breaches earlier in the year.
In a statement released by Oracle, it mentioned external experts guided their investigation and since reported there are no malicious activities within their IT environments.
They also enacted series of containments measures as well as a External Vulnerability Assessment and Penetration Test which found no vulnerabilities in their system.
“Again, we apologise for any concern caused by this incident, and reiterate our determination to support all those impacted in line with both our obligations, and those of our partners,“ Oracle stated.
“As this incident involved an unauthorised third-party gaining access to a portion of OracleCMS’ data before publishing files online, we wish to again share advice around how to protect yourself from the risk of data misuse, should your basic contact information be shared online.“
Professor Doss says people need to realise that the online world is very much intertwined with the physical world as an important safety factor to then not allow apps such as Snapchat to track locations and share with friends.
“Your location information is being shared, so somebody knows where you physically are, even though you think you’re in this online world.
“You never know when you might become a victim and then when that occurs, what are the support structures in place?”