Scouts Victoria sent an email late yesterday to affected people about a security incident that occurred in late July and early August. Unauthorised access to the organisation's email system, through a phishing attack, resulted in access to two staff email accounts and a "shared dropbox".
The list of data compromised is significant and could result in significant harm, with Scouts Victoria telling affected parties via email that names, email addresses, residential addresses, driver's licences, Medicare and passport numbers, tax file numbers, and copies of handwritten signatures were all in the treasure trove of data that was stolen. In some cases, bank account, criminal history information, and parenting orders pertaining to child custody arrangements were also exposed.
"The investigation found that correspondence relating to a number of individuals associated with Scouts Victoria is among the data potentially accessed by unauthorised third parties," a statement from a Scouts Victoria spokesperson said.
Recent research from Webroot suggested that as many as one in five Australians click on phishing emails with many security experts pointing to COVID-19-related scams being widely employed by thieves. At the same time, the Australian Competition and Consumer Commission reports that the number of scam reports is on the rise.
The breach has been reported to the Office of the Australian Information Commissioner.
The Australian Tax office (ATO) has also been informed, with Scouts Victoria saying the ATO has taken steps to place additional security measures to reduce the risk of fraud for people affected by the data loss.
Similarly, Scouts Victoria said it has contacted the Department of Human Services to mitigate the risk of any fraudulent use of compromised Medicare credentials.
Scouts Victoria added that an extensive forensic investigation and security review was completed.
No data pertaining to minors was directly released although parenting plans were accessed, Scouts Victoria said. The organisation added that data from one of the platforms it uses, Operoo -- formerly called Care Monkey -- was also not accessed.
Affected parties are being urged to not open email attachments from untrusted sources -- advice Scouts Victoria might have taken too before the breach.