Xavier College cyber incident
In May last year, Xavier College became aware that a single employee’s email account had been subject to unauthorised access by an unknown third party. The impacted account belongs to one of our administrative team members and contained information collected in the course of their employment with the College.
In response to the incident, Xavier College undertook the following steps:
- engaged leading cyber security advisors to conduct an in-depth forensic investigation to confirm exactly what happened;
- took steps to ensure that the incident was contained;
- conducted a review of the email account to identify any at-risk individuals; and
- implemented ongoing training for staff and students around cyber vigilance and general online safety.
Our initial review of the affected email account identified at-risk personal information relating to 45 individuals. The 45 affected individuals were directly notified of the incident in July 2022. Xavier College also notified the Office of the Australian Information Commissioner and Australian Cyber Security Centre of the incident.
Subsequently, at the end of October 2022, Xavier College became aware of a threat to disclose contents from the email account on the internet. In response, Xavier College took immediate steps to reassess the data and consider whether any further individuals required notification. This analysis was completed in November 2022, and additional individuals were directly notified of the incident shortly after.
We have identified that there are individuals we were unable to contact directly, either due to invalid contact details or the absence of contact details. For this reason, we are posting this update to our website for any individuals that may be concerned that their information was involved but who we were unable to contact.
We confirm that the types of personal information impacted as a result of the incident include a combination of:
- contact information;
- financial details;
- identity information;
- Tax File Number, Medicare and Centrelink information;
- health information; and
- other information including correspondence relating to admissions, scholarships, bursaries and parenting arrangements.
At the date of this update, no data disclosure event has occurred. Xavier College has implemented dark web and media monitoring in order to alert us in circumstances where data is disclosed online. If we identify that data has been published, we attempt to have the data removed as quickly as possible.
We confirm that student academic records are stored on a separate system and that this information is not involved in the incident.
Xavier College takes the protection of data relating to staff, students and benefactors very seriously. We sincerely apologise that this has happened, and we are committed to keeping you updated as our assessment progresses. We are committed to supporting to individuals who may be affected by this incident.
If you have any concerns about the incident, there are steps that you can take to protect yourself and your information, including:
- remain alert for any phishing scams that may come to you by phone, post or email;
- ensure you verify any communications you receive to ensure they are legitimate;
- be careful when opening or responding to texts or emails from unknown or suspicious sources and confirm their legitimacy; and
- monitor your credit card and bank statements for any suspicious transactions and contact your financial institution if you have any concerns.
If at any point you have concerns about identity theft (not just in relation to this incident), you can apply for an annual free credit report via Equifax, Illion or Experian.
If you have not received a notification but think you may have been impacted by the incident, or if you have any questions about this statement, please contact cyber@xavier.vic.edu.au.