A former student and recent parent of Xavier College was involved in mediation with the school and the OAIC last month, but the matter could not be resolved.

The national regulator of privacy will now make an assessment about whether further action is warranted.

The 2022 cyber attack affecting the prestigious Kew school involved the illegal access of information from an undisclosed number of past and current students and parents.

Hackers threatened to release personal details such as visa applications, financial documents, birth certificates and parenting arrangements stolen.

Selected members of the school community were told about the attack which was discovered in June.

But it was not disclosed to those who had their personal details accessed until October when the hackers started making demands.

One former student and parent has succeeded in getting the matter investigated by the OAIC, particularly in terms of the origin of the breach, the time delay and the school’s retention of data for an indeterminate period, allegedly without consent.

He told the Herald Sun the information accessed about him and his son could be used for identity theft and to undermine his high-level workplace security clearances.

“The months between the hack and the college becoming aware of the potential data loss provided the hackers ample time to access school data,” he said.

He said the college’s use of Office365 meant it was impossible for the school to detect what files had been accessed.

It is understood the investigation will centre on the steps the school took once the breach was discovered and whether an individual risk assessment was performed on each person whose information was stolen.

Actions taken by the school since the breach will also be analysed, with the OAIC requiring “reasonable steps” to be taken to improve security processes.

The identity of the old scholars affected by the breach has not been disclosed but the school counts many current and former judges, politicians, businessmen and sporting figures.

These include former governor of Victoria Sir James Gobbo, former deputy premier Rob Hulls, former federal Minister Richard Alston, current Minister Bill Shorten, judge Simon Steward, marathon runner Robert de Castella, footballers Luke Ball and Sean Darcy and former Catholic archbishop of Melbourne Denis Hart.

The Herald Sun is not suggesting these individuals had their data breached.

Xavier College declined to comment.

A spokesman has previously told the Herald Sun the college will “work closely and cooperatively with the OAIC in all aspects relating to the incident”.