City of Moreton Bay

Summary

City of Moreton Bay Council in Queensland experienced an accidental data exposure in June 2024 when private ratepayer information was published on the council's website. The breach occurred through the council's customer inquiries portal, exposing personal details and complaint records.

Attack Vector

A misconfiguration in the council's third-party customer inquiries portal system caused private ratepayer information to be publicly accessible on the website. Users reported seeing other residents' personal information when accessing the portal, indicating a permissions or access control failure in the web application.

Consumer Impact

Exposed information included ratepayer names, residential addresses, email addresses, phone numbers, resident complaints to the council, and details about council investigations. Affected resident Piper Lalonde discovered the breach Monday evening and noted that the webpage remained accessible until late Tuesday, raising concerns about the length of exposure and lack of formal notification to affected ratepayers.

Response

The council's third-party provider launched an investigation into the information breach. Moreton Bay Council notified the Office of the Information Commissioner in Australia with details of the incident. However, residents expressed concern that the council had not formally communicated with ratepayers about their information being publicly available during the exposure period.