Cyber Incident Victim: Mount Lilydale Mercy College
Date:
Jan 2023
Location:
Australia
Summary
A cyber incident at Mount Lilydale Mercy College compromised credit card details of approximately 400 parents, with hackers accessing card numbers but not CCV information. The secondary school engaged cybersecurity specialists and forensic investigators following the breach, while initiating reports to relevant Australian authorities including the Office of the Australian Information Commissioner and the Australian Federal Police. The AFP had previously alerted the institution about suspicious network activity prior to the discovery. The breach occurred amid broader cybersecurity challenges affecting educational institutions, though unrelated to separate incidents at other schools involving exposure of sensitive student data like Medicare numbers and health records. The college emphasized its commitment to data protection best practices in response.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Mount Lilydale Mercy College, a Catholic secondary school in Melbourne's outer east with approximately 1500 students, discovered a cybersecurity incident on January 11, 2023, involving unauthorized access to parental credit card information. The breach affected roughly 400 parents who had submitted payment details to the school. According to Principal Philip Morison, hackers obtained credit card numbers but did not access CCV security codes. The school promptly engaged specialist incident response teams, including cybersecurity analysts and forensic IT investigators, to address the compromise. Morison publicly apologized for the incident, emphasizing the institution's commitment to data protection and adherence to best practices in handling the breach. While the exact method of intrusion remained unspecified, the school initiated internal investigations and began implementing measures to mitigate future risks to personal information.
The Australian Federal Police had contacted the school earlier in January 2023 after detecting potential suspicious activity originating from the college's network during routine monitoring of illicit online marketplaces, including dark web forums. Mount Lilydale Mercy College formally reported the incident to multiple national authorities: the Office of the Australian Information Commissioner, Australian Cyber Security Centre, Australian Taxation Office, and Australian Federal Police. An AFP spokesperson noted the increasing prevalence of cybercrime tied to expanded online services and data collection, highlighting how stolen personal data holds significant value for criminals. This incident occurred alongside unrelated breaches at other educational institutions, including Kilvington Grammar School's late 2022 compromise of student Medicare numbers and health records, though no operational connection between these events was established. The college maintained focus on securing systems and coordinating with investigators while notifying affected families about the exposure of financial data.