Tocal College Student Database eligible data breach: published 30 October 2024

The Department of Primary Industries and Regional Development (DPIRD), which administers the Tocal College Student database, was the victim of a cyber security incident. 

The Department of Primary Industries and Regional Development (DPIRD), which administers the Tocal College Student database, was the victim of a cyber security incident. The type of incident was identified as a ransomware case specifically called Loki ransomware.

The department became aware of the incident on 16 September 2024 and immediately shut down access to the database and removed the database from its system. The NSW Police, NSW Privacy Commissioner, Cyber NSW and the Australian Cyber Security Centre have been notified.

The department engaged the services of a cyber security forensics firm to conduct a forensic investigation to identify the root cause and to prevent recurrence. The investigation found that:

  • the threat actor had access to the database from 13 September 2024 until 16 September 2024
  • personal information stored within the database was accessible to the threat actor during this time
  • the threat actor did not access any files or folders while running the ransomware. However, approximately 1GB data was seen leaving the network. The forensic investigator assessed that due to the duration of the connection and the amount of data seen leaving the network, that no substantial data exfiltration occurred
  • the forensic investigation concluded that the malicious activity undertaken by the threat actor was performed for the purposes of encryption rather than to exfiltrate or access the data.

The types of personal information that may have been disclosed during this incident include:

  • name
  • date of birth
  • gender
  • citizenship
  • address
  • email
  • phone
  • identity document used for registration on the Tocal database
  • language spoken at home
  • disability status
  • Aboriginal and Torres Strait Islander status.

Payment details and account passwords have not been compromised.

What you should do

As a precaution, we recommend that if you were or are a student at Tocal College that you:

  • be cautious in responding to emails and telephone calls from people requesting your personal details, (especially things like your date of birth, residential address, driver’s licence numbers, email address, username and passwords which are often used to verify your identity)
  • don’t click on links in emails and text messages unless you are sure they are legitimate
  • change online passwords regularly
  • contact credit reporting organisations like Equifax, illion or Experian to confirm if your identity has been used to obtain credit without your knowledge or to request a short-term credit ban be put in place
  • if you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’.

People who studied with the Tocal College during 2019-2024 will be directly notified of the incident.

Fact sheets containing further information are available from the Information and Privacy Commission.

Your review rights

The NSW Information and Privacy Commission has more information about making a complaint as well as your review rights. If you believe your personal information has been impacted by this incident and you want to request an internal review you can email us at gipa@dpird.nsw.gov.au.

Where you can go to get more help

If you require advice on steps that you can take to limit the risks arising from the loss or threat of your personal information, please do not hesitate to visit the NSW Government’s ID Support service or call 1800 001 040.

Download as PDF Print this page
Top of page