Around 400 parents of current and former Mount Lilydale Mercy students were recently alerted to a data breach that exposed their credit card details. Fortunately, it appears the hackers did not access and download the CCV number associated with the credit cards. However, that doesn’t mean that the individuals affected by the breach aren’t at risk. Read on to find out what the school did right and other lessons from this data breach:
Mount Lilydale Mercy appears to have done quite a few things right in the wake of the breach, including the following:
“While I am told that even the most secure IT environments can potentially be hacked by something as innocent as one person clicking on a link in a phishing email, we will take learnings from the ongoing investigation and if there are ways to tighten our cyber security practices, we won’t hesitate to make changes.” – Phillip Morison, Principal at Mount Lilydale Mercy College.
Learn what not to do in the wake of a data breach in our earlier coverage of the massive Optus breach.
We’re unsure whether the hackers didn’t gain access to the CCV records due to good internal processes or security measures implemented at Mount Lilydale Mercy – or just dumb luck. However, the fact that the thieves did not make off with the CCV details highlights the importance of good data storage practices and policies.
The best practice is to not store CCV numbers at all. This minimises the potential harm if a database with credit card details is breached. The purpose of the CCV number is to reduce fraud and we recommend that any company that collects and stores credit card information does not store the CCV number at all.
You can review the PCI Storage Rules for Credit Card information for more good practices.
At least one news source (7 News) has reported that credit card information from the parents of former students was breached. If this is true (the school’s press release did not confirm it), it would highlight the potential risks of keeping personal information once its purpose is served.
All organisations should have policies and processes in place to ensure that personal information is deleted once it has served its purpose. It should not be kept ‘just in case’.
Schools (and other organisations) would benefit from making sure that the credit card details of former students are deleted once their fees are paid off.
Privacy 108 has a team of security experts who can help set up or improve your data breach preparedness capability and ensure your team is equipped to respond quickly and effectively to a data breach.
Breaches in security can happen and as outlined above, it’s often the way that a breach is handled that has the most long-term impact, rather than the breach itself.
Wherever you are on your data breach path, we can provide the advice, support, implementation, improvement, and testing assistance you need.
Our team of lawyers and security experts can support you through any organisational data breach with a view to resolving it as quickly as possible, while ensuring that any damage or loss to both affected individuals and your organisation is minimised.
If you need help developing your organisation’s data breach management program, reach out. Our experienced team would love to help.
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
