Cyber Incident Victim: Darebin City Council

Darebin City Council publicly addressed a cybersecurity incident involving its third-party supplier, OracleCMS, on April 20, 2024. OracleCMS managed after-hours customer support services for Darebin and multiple other local councils across Victoria and Australia. The council became aware that an unauthorized third party had gained access to a portion of OracleCMS's data, with some files subsequently published online. In response, Darebin immediately suspended its service with OracleCMS and implemented proactive measures to maintain after-hours customer support through alternative arrangements, including staff on-call availability for urgent safety issues related to council services. OracleCMS engaged external cybersecurity experts to secure their systems and investigate the breach upon detection. Preliminary findings indicated the compromised data primarily consisted of corporate information, specifically contract details and invoices.

The supplier's initial assessment suggested any exposed customer information from after-hours service interactions would likely be limited to basic contact details, which OracleCMS and Darebin considered low-risk. Darebin confirmed its internal systems remained uncompromised throughout the incident. The council collaborated with OracleCMS to further investigate the breach's scope and potential impacts on stakeholders. Darebin committed to directly notifying affected customers if investigations confirmed unauthorized access to personal data, with guidance on mitigating misuse risks. The council emphasized its serious approach to information security and acknowledged community concerns, referencing Victorian Government resources for data breach recovery without providing additional mitigation advice beyond supplier-led containment efforts.