This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Mount Lilydale Mercy College

Summary

Mount Lilydale Mercy College, a Catholic secondary school in Melbourne's eastern suburbs, was notified by the Australian Federal Police on 11 January 2023 that up to 400 credit card numbers had been stolen by third-party hackers. The breach affected current and former parents whose payment information was still on file with the school. Whilst credit card numbers were stolen, the CVV security codes were not compromised. The school notified affected parents on 30 January 2023 and advised them to contact their financial institutions.

What Happened

The school was notified of the hack by the Australian Federal Police on 11 January 2023. Third-party hackers had gained unauthorised access to the school's systems and stolen credit card information belonging to parents who had used their cards for school-related payments.

The investigation revealed that up to 400 credit card numbers were stolen, affecting both current parents and former parents whose payment information was still retained in the school's systems. Importantly, whilst the credit card numbers themselves were compromised, the CVV (Card Verification Value) security codes—the three or four-digit numbers on the back of cards—were not included in the stolen data.

The school took nearly three weeks to notify affected parents, sending out a letter on 30 January 2023, approximately 19 days after being informed of the breach by the AFP.

Impact on Individuals

The breach affected up to 400 current and former parents who had provided credit card details to the school for fee payments or other school-related expenses. The stolen data included:

  • Credit card numbers
  • Cardholder names

Notably, CVV numbers were not compromised, which provides some limitation on how the stolen card numbers can be used. Many online transactions require the CVV code, and its absence makes fraudulent online purchases more difficult (though not impossible).

However, the theft of credit card numbers still creates risks:

  • Cards can potentially be used for transactions that don't require CVV codes
  • The information can be sold on dark web marketplaces
  • Affected individuals face the inconvenience of cancelling and replacing their cards
  • There's potential for unauthorised charges before cards are cancelled

The inclusion of former parents whose information was still on file raises questions about the school's data retention practices and whether financial information was being kept longer than necessary.

Organisational Response

Principal Philip Morison confirmed that upon learning of the breach, the school immediately engaged "specialist cyber incident response experts, including cybersecurity analysts and forensic IT investigators" to investigate the incident and secure the school's systems.

The school advised all impacted parents to take immediate action with their financial institutions, including cancelling their compromised cards and monitoring their accounts for unauthorised transactions. The approximately three-week delay between the AFP notification and parent notification meant that potentially fraudulent charges could have occurred during this period before parents were aware and could cancel their cards.

The incident highlighted the risks faced by educational institutions, which often handle sensitive financial and personal information but may not have the same level of cybersecurity resources as larger organisations or financial institutions.

Verification Source: View original statement