Data Breach at RSPCA Victoria

Following an independent external cyber security investigation, RSPCA Victoria has found that customers’ and some staff and volunteer information was unlawfully accessed by unknown parties during a highly sophisticated cyber attack.

RSPCA Victoria sincerely regrets any concern or disruption caused by the incident.

In the past 18 months there has been an acceleration in cyber security attacks across the globe - particularly as workplaces transitioned to remote working. Despite having robust security processes and systems already in place, RSPCA Victoria was targeted by unknown parties who illegally accessed data. 

While no financial details or passwords were compromised, the IT investigation found the unknown parties illegally accessed some details including names, addresses, date of birth and driver licence numbers. 

RSPCA Victoria CEO, Dr Liz Walker, said that the organisation was treating the incident very seriously, and has set up a dedicated data breach hotline to assist affected individuals with any queries. The hotline number is 03 9224 2202 (Monday to Friday from 8.30am – 4.30pm AEST).

“The security of our information is incredibly important to helping achieve our goal of ending cruelty to all animals. Our community is at the heart of our organisation and their confidence is critical to our ongoing work in animal welfare,” said Dr Walker.

“We have responded quickly by conducting a thorough investigation and have taken important steps to bolster the security of our technology systems to help prevent any similar incidents happening in the future.”

RSPCA Victoria contacted all impacted individuals on 26 May 2021 to alert them to the data breach and provide guidance on how to protect their personal information.

RSPCA Victoria has reported the incident to Victoria Police, the Office of the Australian Information Commissioner and the Australian Cyber Security Centre, and is committed to cooperating with their investigations. The Australian Cyber Security Centre reference number for this matter is ACSC-2107.

 

FAQs 

Who does this data breach impact?

RSPCA Victoria has become aware of a cyber security incident that affects the data of a number of our customers including information provided to us while completing an online adoption form. Those impacted have been contacted directly and the below information details our response and provides tips on how to protect personal data.


Who can I contact for advice?

Please contact our dedicated hotline (03 9224 2202).

Alternatively, if you are concerned about the potential misuse of your personal information, we have arranged free support from IDCARE, Australia’s national identity and cybersecurity community support service. Please engage an IDCARE Case Manager via IDCARE’s Get Help Web Form here.  if you have broader identity security concerns. Alternatively you may visit IDCARE’s Learning Centre for further information and resources on protecting your personal information. IDCARE’s services may be accessed by providing referral code RSP21-IDC when completing its Get Help Web Form.



What is a notifiable data breach?

The Australian Government Office of the Australian Information Commissioner (OAIC) provides the following information:

Under the Notifiable Data Breaches schemean organisation or agency that must comply with Australian privacy law has to tell you if a data breach is likely to cause you serious harm.

Examples of serious harm include:

  • identity theft, which can affect your finances and credit report
  • financial loss through fraud
  • a likely risk of physical harm, such as by an abusive ex-partner
  • serious psychological harm
  • serious harm to an individual’s reputation.

An organisation or agency must also tell the OAIC about a serious data breach. Generally, an organisation or agency has 30 days to assess whether a data breach is likely to result in serious harm.

When a data breach occurs, the OAIC expects an organisation or agency to try to reduce the chance that an individual experiences harm. If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency doesn’t need to tell the individual about the data breach.

More information is available here: https://www.oaic.gov.au/privacy/data-breaches/ 

What information was exposed during this breach?

  • No financial details, passwords or copies of driver licences were accessed as this information was not in the database.
  • Employees and volunteers – full names, home addresses, contact details, driver licence numbers and expiry dates
  • Adoption applicants - full names, home addresses, contact details, driver licence numbers

 

What can I do to protect myself?

  1. Contact one of the free helplines to discuss your options.
  2. Apply for a Credit Report and Credit Ban 

    To help protect yourself from identify theft, or determine whether this has already occurred, advise that you apply for a free credit report and a credit ban from one of the following Australian Credit Reporting Agencies:

  3. Protecting your Identity

In addition, as previously advised, we request as a matter of urgency that you:


How can I protect my personal data from being used?

The investigation by an external cyber security expert was unable to determine if this information was downloaded or recorded. However, there remains the possibility that unknown parties could use these details for harmful activity such as identity fraud.

Your personal details were accessed by these unknown parties and may remain accessible. However, typically if identify fraud is to occur it happens very soon after the information was accessed. This is because malicious users know that people’s personal details can change so they will try to use them as soon as possible.

By applying for a credit report and credit ban you can see whether your details have been used for identity fraud and prevent it from happening in the future. Before you do this, we recommend you call one of the helplines listed.

We encourage you to be on alert for scam activity such as phone calls, text messages or emails with suspicious links, attachments or requests for personal information. We recommend you refrain from engaging with these emails and delete them immediately.

Can I make a formal complaint about this?

Yes. You can make a formal complaint to RSPCA Victoria or the Office of the Australian Information Commissioner. The first step is to make a formal complaint to RSPCA Victoria – to do so, please email our Privacy Officer at privacy@rspcavic.org.au

What is another way I can do adoption applications if I don’t want to do them online?

You can call our friendly Customer Care team to enquire about the animals we have on site and book an appointment.

However, we will still need to take note of your details in our system to ensure we can match you with the right animal and can report on all customer interactions.


Will I be notified if the unknown parties are caught?

Yes, we will continue to keep you updated on the section of our website addressing this issue www.rspcavic.org/databreach and will also keep you updated via email.

Unfortunately, in these situations, the perpetrator is often not caught so we cannot guarantee we will be able to provide you with this update.