This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Victorian Government Employee Directory

Summary

The Victorian Government disclosed in January 2019 that its employee directory had been accessed by an unauthorised party, compromising the work details of approximately 30,000 public servants. The breach, which occurred just before Christmas 2018, exposed contact information, job titles, and organisational details for government employees across multiple departments and agencies. The incident raised serious concerns about the security of public sector workforce data and potential targeting of government staff.

What Happened

Hacking. An unauthorised party gained access to the Victorian Government's employee directory system, which contained comprehensive workforce information for approximately 30,000 public servants. The directory included employee names, work email addresses, phone numbers, job titles, departments, office locations, and reporting structures. This type of organisational information is valuable to attackers because it enables sophisticated social engineering attacks, revealing who works in sensitive positions, who reports to whom, and how to contact specific individuals. The breach was discovered during a security review shortly after it occurred, but the damage was already done with the full directory having been exfiltrated.

Impact on Individuals

  • Workplace Targeting: Public servants could be specifically targeted based on their roles and departments
  • Social Engineering: Detailed org charts enable convincing impersonation attacks
  • Phishing Campaigns: Accurate employee data facilitates targeted phishing using real names, titles, and reporting structures
  • Privacy Concerns: Government employees' work details exposed without consent
  • Sensitive Positions: Particular concern for staff in law enforcement, child protection, or other sensitive roles
  • Contact Details: Direct work phone numbers and emails enabling unsolicited contact

The breach of a government workforce directory was especially concerning because it provided a roadmap for targeting public sector systems and employees.

Response

The Victorian Government immediately secured the compromised directory system and launched an investigation into how the unauthorised access occurred. All 30,000 affected employees were notified about the breach and advised to be extra vigilant for phishing attempts and social engineering attacks. The government engaged cybersecurity experts to conduct a comprehensive security review and implement enhanced access controls for internal systems. Staff were reminded about security protocols and warned to verify the identity of anyone requesting sensitive information or system access. The incident was reported to the Office of the Victorian Information Commissioner. The breach prompted a broader review of security practices across the Victorian public service, particularly around systems containing employee data. Enhanced monitoring was implemented to detect unusual access patterns to government directories and HR systems. +++

Verification Source: View original statement