Cyber Incident Victim: Blackburn High School

On May 19, 2017, Blackburn High School in Melbourne discovered a significant security breach involving unauthorized access to its systems. Personal information of students and families—including phone numbers, addresses, and Medicare details—was illegally downloaded and subsequently posted to at least one file-sharing website. The compromised data affected both current and former students. Shortly after the initial breach, a phishing email impersonating the school principal was distributed to parents, fraudulently requesting credit card details. Several parents complied, providing their financial information to the attackers. While the exact method of initial system access remains unclear, a parent reported that a teacher’s laptop had been hacked prior to the phishing campaign. The school promptly alerted authorities, with Victoria Police initiating an investigation that included at least one person of interest assisting inquiries.

The Victorian Department of Education confirmed the breach on May 24, collaborating with the school to engage IT specialists to locate and remove the exposed data from online platforms. A dedicated call center was established to support affected families, providing guidance on protecting their information. This incident marked the second major privacy failure involving the department within two months, following an April 2017 incident where unredacted student records—including mental health issues, bullying incidents, and medical conditions—were accidentally published on its website, impacting 115 families. The Blackburn attack reflected a broader pattern of scammers targeting Australian institutions, with recent phishing campaigns impersonating entities like Australia Post, Origin Energy, and the Australian Tax Office to harvest financial and personal data. No motive for targeting Blackburn High School was identified in official statements.