City of Ballarat

Summary

The City of Ballarat was notified on 3 July 2024 of a cyber security incident involving its after-hours phone call service provider, OracleCMS. The breach exposed limited personal information of 52 local residents whose data was collected between April 2015 and December 2017. The affected data consisted of first names, last names, addresses, and phone numbers. City of Ballarat's own systems and databases were not accessed.

What Happened

OracleCMS, a third-party supplier providing after-hours phone call services for multiple Victorian councils, suffered a cyber security incident. The breach was part of a broader attack on OracleCMS that impacted numerous organizations and local councils across Australia. For the City of Ballarat specifically, the incident exposed data classified as "low risk identity attributes" that had been collected by the after-hours service between April 2015 and December 2017.

Impact on Individuals

The 52 affected residents had the following information exposed:

• First and last names
• Physical addresses
• Phone numbers

While classified as "low risk identity attributes," this combination of information could be used for:

• Targeted phishing calls impersonating council services
• Mail-based scams
• Social engineering attacks
• Identity correlation when combined with data from other breaches

The City of Ballarat directly contacted all 52 affected residents to inform them of the breach.

Organisational Response

The City of Ballarat emphasized that its own systems and databases were not accessed, with the breach limited to the external OracleCMS system. The council offered no-cost access to the services of national identity and cyber support service IDCARE to all affected residents. OracleCMS worked with government authorities to investigate the incident. Affected residents were advised to contact the City of Ballarat Customer Service team on 5320 5500 for additional information or support.