Tocal College Student Database eligible data breach: published 30 October 2024
The Department of Primary Industries and Regional Development (DPIRD), which administers the Tocal College Student database, was the victim of a cyber security incident.
The Department of Primary Industries and Regional Development (DPIRD), which administers the Tocal College Student database, was the victim of a cyber security incident. The type of incident was identified as a ransomware case specifically called Loki ransomware. The department has not been able to confirm what personal information was accessed, lost or stolen as part of this incident.
The department became aware of the incident on 16 September 2024 and immediately shut down access to the database and removed the database from its system. The NSW Police, NSW Privacy Commissioner, Cyber NSW and the Australian Cyber Security Centre have been notified.The department has completed the following things to safeguard the application:
- migrated the application portal to a secure platform
- implemented MFA (multi factor authentication) to the platform and increased password complexity to the application
- conducted internal and external penetration testings (work is in progress to remediate the findings)
- installed EDR (advanced endpoint detection and response) software on the servers
- improved alerting and monitoring by injecting the logs to enterprise SEIM (Security information and event management).
The department engaged the services of a cyber security forensics firm to conduct a forensic investigation to identify the root cause and to prevent recurrence. The investigation found that:
- the threat actor had access to the database from 13 September 2024 until 16 September 2024
- personal information stored within the database was accessible to the threat actor during this time
- the threat actor did not access any files or folders while running the ransomware. However, approximately 1GB data was seen leaving the network. The forensic investigator assessed that due to the duration of the connection and the amount of data seen leaving the network, that no substantial data exfiltration occurred
- the forensic investigation concluded that the malicious activity undertaken by the threat actor was performed for the purposes of encryption rather than to exfiltrate or access the data.
The types of personal information that may have been disclosed during this incident include:
- name
- date of birth
- gender
- citizenship
- address
- phone
- identity document used for registration on the Tocal database
- language spoken at home
- disability status
- Aboriginal and Torres Strait Islander status.
Payment details and account passwords have not been compromised.
What you should do
As a precaution, we recommend that if you were or are a student at Tocal College that you:
- be cautious in responding to emails and telephone calls from people requesting your personal details, (especially things like your date of birth, residential address, driver’s licence numbers, email address, username and passwords which are often used to verify your identity)
- don’t click on links in emails and text messages unless you are sure they are legitimate
- change online passwords regularly
- contact credit reporting organisations like Equifax, illion or Experian to confirm if your identity has been used to obtain credit without your knowledge or to request a short-term credit ban be put in place
- if you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’.
People who studied with the Tocal College during 2019-2024 will be directly notified of the incident.
Fact sheets containing further information are available from the Information and Privacy Commission.
Your review rights
The NSW Information and Privacy Commission has more information about making a complaint as well as your review rights. If you believe your personal information has been impacted by this incident and you want to request an internal review you can email us at gipa@dpird.nsw.gov.au.
Where you can go to get more help
If you require advice on steps that you can take to limit the risks arising from the loss or threat of your personal information, please do not hesitate to visit the NSW Government’s ID Support service or call 1800 001 040.