Cyber Incident Victim: Loreto Mandeville Hall Toorak

On or around 14 May 2023, Loreto Toorak, also referred to as Loreto Mandeville Hall, became aware of a cybersecurity incident. The school identified that an unknown third party had gained unauthorized access to a portion of its IT environment. Upon discovery of the breach, the school promptly engaged leading external cybersecurity experts to assist in securing its systems and to conduct a formal investigation into the incident. The immediate priority was to contain the unauthorized access and to assess the scope of the compromise. As part of the ongoing investigation, by 31 May 2023, the school ascertained that a set of data had been copied from its IT environment. Furthermore, it was confirmed that some of this exfiltrated data had been disclosed online. The school immediately reviewed the specific data that had been published and took steps to notify individuals who were deemed to be at immediate risk due to this disclosure. The school also committed to reviewing any further data disclosures should they occur and to directly contact anyone assessed to be at risk from those subsequent releases.

The investigation into the full extent of the information accessed during the breach remained ongoing throughout June 2023. The school provided periodic updates on its website, acknowledging the continued work and thanking its staff, parents, families, and the wider school community for their support during the process. In parallel with the technical investigation, the school formally notified several government agencies about the incident. These agencies included the Office of the Australian Information Commissioner, the Australian Cyber Security Centre, and Victoria Police. The school stated its intention to keep these agencies updated as the investigation progressed. In response to the incident, Loreto Toorak implemented additional security measures and protections across its IT environment. These measures were designed to further secure systems and to enhance the immediate detection of any future unusual activity. The school also issued a recommendation to its community to remain vigilant against the potential risk of phishing or other scam communications from parties falsely claiming to be from Loreto Toorak, advising individuals not to respond to any suspicious emails, telephone calls, or social media communications.

By 17 July 2023, the school confirmed that the detailed investigation was nearing completion. It announced that it would soon be communicating directly with individuals whose information may have been affected, as required. The school assured the community that it would provide guidance and support to those individuals to help them protect their information moving forward. The school reiterated that it had engaged leading cyber security experts for the investigation after the unauthorized access occurred. It also confirmed that it had notified the relevant government agencies, including the Office of the Australian Information Commissioner, the Australian Cyber Security Centre, Victoria Police, and other relevant bodies, to support its response efforts. The apology for the concern caused was repeated, along with thanks for the community's support and patience during the notification process.

On 1 August 2023, the school provided a significant update, confirming that it had issued notifications to individuals whose information may have been involved in the incident. The school stated it would continue to provide guidance and support to help these affected individuals protect their information. A key point communicated was that the school had no evidence that any personal information had been misused as a result of the incident. The notifications included detailed information and advice on how individuals could protect their personal information. The school again apologized for any concern the incident had caused and thanked the community for their ongoing support during the detailed investigation. Contact information, including a dedicated email address ([email protected]) and a dedicated cyber security incident phone line (03 8290 7817), was provided for any further queries.

A subsequent update was provided on 15 August 2023, stating that the school was continuing to provide guidance and support to the community. This included assisting individuals who had queries following their notification. The school urged individuals who had received a notification to review the contained information closely and to get in touch with any further questions. For those who had not received a notification but had questions about whether their information was involved, the school encouraged them to reach out via the provided contact channels. The school reaffirmed its commitment to supporting the community through the process and provided a link to guidance on steps to protect information against potential misuse. The ongoing understanding and support of the school community were again acknowledged.

The final update on the incident was published on 4 October 2023. The school confirmed that it had finalised its response to the cybersecurity incident as required. It thanked the community for their support and patience throughout the incident response and apologized once more for any concern the incident had caused. Loreto Toorak stated that it takes cybersecurity and the protection of personal information seriously and that it remained committed to providing guidance and support to affected individuals. The contact information for the dedicated email and phone line was reiterated for anyone seeking further information on steps to protect their information against potential misuse. This marked the conclusion of the school's public response and update process regarding the May 2023 cyber incident.