Melbourne School Data Breach: Lessons for Handling Credit Card Hacks
Around 400 parents of current and former Mount Lilydale Mercy students were recently alerted to a data breach that exposed their credit card details. Fortunately, it appears the hackers did not access and download the CCV number associated with the credit cards. However, that doesn’t mean that the individuals affected by the breach aren’t at risk. Read on to find out what the school did right and other lessons from this data breach:
What Mount Lilydale Mercy Did Right Following the Data Breach
Mount Lilydale Mercy appears to have done quite a few things right in the wake of the breach, including the following:
- The school seems to have promptly alerted the individuals whose data had been stolen and provided practical and actionable advice and guidance.
- Those affected by the breach knew about it before the press release was published, which may help to maintain trust. Finding out that your data from a press release is never ideal – however, there will be circumstances where it’s appropriate to publish the press release first (such as when significant amounts of data has been breached but it will take a long time to identify exactly what).
- Their communication (via the press release) was relatively clear and simple.
- The school appears to be cooperating with the Government.
- They appear to be willing to admit their mistakes (if it turns out they made one) and they show that they are willing to learn.
“While I am told that even the most secure IT environments can potentially be hacked by something as innocent as one person clicking on a link in a phishing email, we will take learnings from the ongoing investigation and if there are ways to tighten our cyber security practices, we won’t hesitate to make changes.” – Phillip Morison, Principal at Mount Lilydale Mercy College.
Learn what not to do in the wake of a data breach in our earlier coverage of the massive Optus breach.
Key Security Takeaways: Good Data Storage Practices and Data Deletion Are Key
Views on The Good News: CCV Numbers Not Breached
We’re unsure whether the hackers didn’t gain access to the CCV records due to good internal processes or security measures implemented at Mount Lilydale Mercy – or just dumb luck. However,
the fact that the thieves did not make off with the CCV details highlights the importance of good data storage practices and policies.
The best practice is to not store CCV numbers at all. This minimises the potential harm if a database with credit card details is breached. The purpose of the CCV number is to reduce fraud and we recommend that any company that collects and stores credit card information does not store the CCV number at all.
You can review the PCI Storage Rules for Credit Card information for more good practices.
Potential Lessons About Data Deletion
At least one news source (7 News) has reported that credit card information from the parents of former students was breached. If this is true (the school’s press release did not confirm it), it would highlight the potential risks of keeping personal information once its purpose is served.
All organisations should have policies and processes in place to ensure that personal information is deleted once it has served its purpose. It should not be kept ‘just in case’.
Schools (and other organisations) would benefit from making sure that the credit card details of former students are deleted once their fees are paid off.
Privacy 108’s Data Breach Management Consulting
Privacy 108 has a team of security experts who can help set up or improve your data breach preparedness capability and ensure your team is equipped to respond quickly and effectively to a data breach.
Breaches in security can happen and as outlined above, it’s often the way that a breach is handled that has the most long-term impact, rather than the breach itself.
Wherever you are on your data breach path, we can provide the advice, support, implementation, improvement, and testing assistance you need.
Our data breach management services include:
- Developing an information security incident response capability;
- Preparing a data breach response plan;
- Testing and training staff in your incident response;
- Participating as legal advisers and/or privacy experts as part of your data breach/incident response team;
- Keeping you up to date with new or changing data breach notification obligations;
- Providing a legal opinion on your data breach notification obligations; and
- Participating in or leading the post-incident review process.
Our team of lawyers and security experts can support you through any organisational data breach with a view to resolving it as quickly as possible, while ensuring that any damage or loss to both affected individuals and your organisation is minimised.
If you need help developing your organisation’s data breach management program, reach out. Our experienced team would love to help.