Cyber Incident Victim: Scouts Victoria

In late July and early August 2020, Scouts Victoria suffered a phishing attack that compromised its email system, granting unauthorized third parties access to two staff email accounts and a shared Dropbox repository. The breach was disclosed via email to affected individuals on September 24, 2020, following an investigation that confirmed extensive personal data exposure. Attackers obtained highly sensitive information including full names, email addresses, residential addresses, driver’s license details, Medicare numbers, passport numbers, tax file numbers (TFNs), and copies of handwritten signatures. For some victims, the compromise extended to bank account information, criminal history records, and legally sensitive parenting orders related to child custody arrangements. Scouts Victoria confirmed that correspondence associated with individuals connected to the organization was among the data potentially accessed.

The organization reported the breach to the Office of the Australian Information Commissioner and notified the Australian Taxation Office (ATO), which implemented additional security measures to protect affected individuals from tax fraud. Scouts Victoria also engaged the Department of Human Services to mitigate risks associated with compromised Medicare credentials. A forensic investigation and security review confirmed no data directly pertaining to minors was exposed, though parenting plans were accessed. Data from Operoo (formerly Care Monkey), a third-party platform used by Scouts Victoria, remained unaffected. The incident highlighted broader cybersecurity trends, with phishing attacks rising during the COVID-19 pandemic as reflected in contemporaneous Australian Competition and Consumer Commission scam statistics. Scouts Victoria did not specify whether multi-factor authentication or other safeguards were in place prior to the breach, nor did it disclose the number of affected individuals.