Data leak in Victorian Covid hotels cyber raid
Personal data of staff and travellers who stayed in Victoria’s bungled hotel quarantine program has renewed opposition calls for a royal commission.
Students and travellers who stayed in Victoria’s bungled hotel quarantine program in January 2021 had personal data leaked in a cyber attack.
Documents released under a Freedom of Information request show some travellers may have had their names, contact numbers, dates of birth, addresses and in some cases passport numbers exposed in a suspected phishing attack.
Daniel Andrews’ government told travellers whose passport details may have been compromised but following a risk assessment, decided not to inform other travellers their personal data might have been leaked.
FOI documents from the Victorian Liberal Party show the email of a hotel quarantine worker was “accessed via cyber intrusion”. They had an Outlook app on their phone, which had a folder holding Department of Health emails.
The staff member was shifted to work in hotel quarantine from the Victorian Curriculum and Assessment Authority – part of the Education Department – and it was through this email the cyber attack occurred.
“An issue with data occurred in January 2021 involving the potential exposure of information about travellers and staff in the Covid-19 Hotel Quarantine Program, including names, contact numbers, dates of birth addresses and, in some cases, passport numbers,” the document read.
“No evidence of the information being accessed or downloaded has been identified; however, the response to the incident has assumed exposure.
“The Department of Health is working through the process to notify travellers in the Hotel Quarantine Program whose passport details were potentially exposed.”
The document appears to be a briefing note signed by then health minister Martin Foley.
The intruder used access to the worker’s email account to send fake invoices to schools in the attack, which took place over four days in January last year.
The state’s curriculum authority was told about the incident on January 8 and the Education Department informed health officials in mid-March.
“Other Department of Education and Training data relating to students … was also exposed,” the document read.
The Education Department contacted the Australian Signals Directorate and the data breach was voluntarily reported to the Office of the Victorian Information Commissioner.
Acting premier at the time and education minister James Merlino was also briefed.
Coronavirus spread into the Victorian community in mid-2020 after private security guards were employed to man the hotel quarantine system.
Victoria was plunged into a 111-day lockdown; ultimately, more than 750 people died as a result of failures in the program.
An inquiry led by retired judge Jennifer Coate found no member of the government could be held responsible for the decision to use private security guards, who reportedly engaged in sexual activity with guests and allowed them to mingle.
Opposition health spokeswoman Georgie Crozier said Victorians remained “in the dark” about failures in the hotel quarantine program and they deserved to know the truth.
More Coverage
Add your comment to this story
Palestine state recognition now will delay release of hostages: Mark Leibler
The nation’s Jewish leaders have warned Anthony Albanese against imminent recognition of Palestinian statehood, with one warning it would be ‘scandalous’ to join France, UK and Canada before Hamas had been removed from Gaza.
Youth crime move nothing but a spit in the face of sense
Australia's tough approach to youth detention is creating career criminals instead of reformed citizens, with Indigenous children bearing the brunt of failed policies.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout