Personalised for LOCAL students.
Local student means; you are an Australian citizen or permanent resident, a New Zealand citizen or a permanent humanitarian visa holder.
Personalised for INTERNATIONAL students.
International student means; you are not an Australian citizen or permanent resident, a New Zealand citizen or a permanent humanitarian visa holder.

Information about Melbourne Polytechnic’s Cyber Breach

In the final months of 2018, Melbourne Polytechnic was subject to a data breach in which access was gained to personal information about staff, students and suppliers.

This page provides information and advice to people affected by the breach.

It provides:

  • General information about the breach;
  • Other useful information;
  • Advice about actions to take to protect yourself from risk of identity fraud;
  • Frequently asked questions;
  • An online form to submit a request for contact from Melbourne Polytechnic’s Cyber Support Call Centre.

Who was impacted?

The data breach has affected staff, students and suppliers whose details were held in some of Melbourne Polytechnic’s IT systems during the period between September and December 2018.

If your relationship with Melbourne Polytechnic commenced after this time you have not been impacted by this data breach.

How do I know if I have been affected by the data breach?

Melbourne Polytechnic has written to all people affected by the data breach. Letters have been tailored to each person. A summary of the specific types of information that was accessed in the breach for that person is included in each letter. This enables affected people to understand the degree to which they have been affected and what actions they should take.

Along with the letter sent to each affected person, Melbourne Polytechnic has provided a Cyber Security Information Sheet, with recommendations by IDCARE (Australia's national identity theft and cyber support service), advising what actions they should consider to protect themselves as a result of the breach.

Useful Information

Police Report Number

The police report number of this data breach is 18 043 0368.

This number may be important for activities such as credit application bans.

Melbourne Polytechnic Cyber Support Call Centre

Melbourne Polytechnic has established a Cyber Support Call Centre so that affected people can speak to a team member about any concerns. Contact from a team member from the Cyber Support Call Centre can also be requested by completing the contact form below.

IDCARE

IDCARE is Australia’s national identity theft support service. Their website has useful tips and suggestions on what to do if your personal identity has been compromised. idcare.org

Stay Smart Online

Stay Smart Online is the federal government’s cyber security education portal. Learn how to improve your personal cyber security at staysmartonline.gov.au

 

Actions to take to protect yourself from risk of identity fraud

To understand what actions you might need you to take if you have been affected by the breach, you will need to refer to the letter that you received from Melbourne Polytechnic in the mail. The letter includes a list of the types of data about you that was accessed.

Personal Information 

Data Type Risk Recommended Actions 
Melbourne Polytechnic email user name and password

These are the details you use to log into your Melbourne Polytechnic account.

Breach of this data may have resulted in confidential information contained within your Melbourne Polytechnic account being accessed. You should consider whether you used this account to share information like bank account details or your passport and determine what actions you need to take to protect yourself.

  • Consider whether you used your Melbourne Polytechnic account to share confidential information and take action to protect yourself.
  • Change passwords for all online accounts which use your Melbourne Polytechnic username, email address or password. This may include social media accounts, gaming platforms and other online services unrelated to Melbourne Polytechnic.
  • Wherever possible, establish multi-factor authentication with your online accounts (such as username, password and a separately communicated code).
  • Further information on recommended actions in relation to identity documents (such as passports and driver licences) and bank accounts are provided below.

Drivers licence

Your drivers licence can be used to open accounts, including obtaining credit, in your name without your approval. It can also be used to port (gain access to) your mobile phone number.

Unfortunately, most states do not allow you to change your drivers licence number. Victorian drivers‘ licence numbers can only be changed where it can be proved that a criminal use of the number has occurred. It is not recommended that individuals attempt to change their drivers licence as it unlikely to be successful.
  • Contact your financial institution about increasing security on your accounts.
  • Contact your mobile phone provider about increasing security on your accounts.
  • Contact Australia’s three credit reporting agencies to confirm that your identity has not been used to obtain credit without your knowledge and/or put a Credit
  • Ban in place. Australia’s three credit agencies are Equifax, Illion and Experian.
  • Further information on this process is available from IDCARE’s Learning Centre idcare.org/learning-centre/fact-sheets
Passport details Your passport can be used to open accounts, including obtaining credit, in your name without your approval. It can also be used to port (and gain access to) your mobile phone number.

If you are an Australian Citizen:

  • Contact the Australian Passport Office to arrange for a new passport to be reissued with a new passport number by calling 13 12 32 between 8:30am to 4:30pm, Monday to Friday

 If you are an Overseas Citizen:

  • Holders of overseas passports are recommended to inform their respective embassies that their passport details have been compromised and explore what mitigation or additional security requirements are available.

All countries:

  • Contact your financial institution about increasing security on your accounts.
  • Contact your mobile phone provider about increasing security on your accounts.
  • Contact Australia’s three credit reporting agencies to confirm that your identity has not been used to obtain credit without your knowledge and/or put a Credit Ban in place. Australia’s three credit agencies are Equifax, Illion and Experian.

Further information on this process is available from IDCARE’s Learning Centre idcare.org/learning-centre/fact-sheets

Financial Information 

Data Type Risk Recommended Actions 
Banking details including name, BSB or account number

If your account details have been identified as being stolen in the breach, there may be the risk of fraudulent activity occurring on your account.

Immediately notify your financial institutions of the breach to allow them to implement monitoring controls.

  • Speak with your financial institution about additional security measures that can be put in place on your bank accounts, including changing passwords or PINs.

Credit/Debit card details

If your account details have been identified as being stolen in the breach, there may be the risk of fraudulent activity occurring on your account.

Immediately notify your financial institution that issued your card. They will determine whether the card is best to be cancelled and replaced or if monitoring controls are preferred.

  • Speak with your financial institution about what additional security measures can be put in place on your bank accounts, including changing passwords or PINs.

Superannuation details

The exposure of superannuation details can result in attempts to move funds from your superannuation account.

Contact your superannuation fund and speak with them about what additional security measures they can place on your account.

Tax file number

Your tax file number (TFN) is your personal reference number in the Australian tax and superannuation systems.

Melbourne Polytechnic has provided the Australian Taxation Office with details for all Tax File Numbers that have been exposed and these numbers will be added to their ‘watch list’. For further information contact the ATO on 1800 467 033 during business hours.

Health Related Information 

Data Type Risk Recommended Actions 

Medicare card number

Your Medicare card number can be used as a form of identification and can expose you to risk of fraudulent activity.

It can be used to open accounts, including obtaining credit, in your name without your approval. It can also be used to port (and gain access to) your mobile phone number.

• Melbourne Polytechnic has provided Services Australia with details of all Medicare numbers that were affected. You do not need to contact them about the breach.

• Contact your financial institution about increasing security on your accounts.

• Contact your mobile phone provider about increasing security on your accounts.

• Contact Australia’s three credit reporting agencies to confirm that your identity has not been used to obtain credit without your knowledge and/or put a Credit Ban in place. Australia’s three credit agencies are Equifax, Illion and Experian.

 

Further information on this process is available from IDCARE’s Learning Centre idcare.org/learning-centre/fact-sheets

Health information

While it may be distressing to know that personal health details have been accessed, it is unlikely that this information will be able to be used to undertake further criminal activity.

Nevertheless we recognise that your personal experience should be considered. If you would like to discuss how you have been impacted, please contact our Cyber Support Centre. Counselling support is available.
  • If you would like to discuss how you have been impacted, please contact our Cyber Support Call Centre about any concerns you may have and to understand your options.

Contact from a team member from the Cyber Support Call Centre can also be requested by completing the Contact Form below.

Frequently Asked Questions

What has happened?

In the final months of 2018, Melbourne Polytechnic was subject to a data breach in which access was gained to personal information about staff, students and suppliers.

How did it happen?

We understand from Victoria Police that an individual attended a Melbourne Polytechnic campus in late 2018 and obtained unauthorised access to Melbourne Polytechnic’s computer systems by hard logging onto the network; overcoming security measures.

When and how did Melbourne Polytechnic find out about the data breach?

Victoria Police notified Melbourne Polytechnic of the data breach in late October 2019 as part of a separate investigation.

Why has it taken so long for Melbourne Polytechnic to alert affected people?

Victoria Police supplied Melbourne Polytechnic with the files related to the data breach in late October 2019. Since that time, Melbourne Polytechnic has undertaken a very detailed independent forensic investigation focused on what occurred, how, and most importantly, who has been affected. This has taken many weeks and many hours of work involving internal staff and independent specialists. A team of forensic IT professionals and cyber security experts have worked tirelessly to identify the names of all the affected people and determine what types of information has been accessed on a case-by-case basis.

How many files were accessed?

Access was gained to approximately 55,000 files.

What types of information were accessed in the breach?

For the vast majority of people affected by the data breach, access was gained to their Melbourne Polytechnic usernames, passwords and email addresses. It is possible that any information held in those Melbourne Polytechnic accounts at that time was exposed. Routine security measures implemented since the breach, mean that these accounts are no longer vulnerable as a result of the breach.

For a smaller number of people, financial information such as banking and credit card details, passport and drivers licence numbers and some confidential health details may have been accessed.

Has Victoria Police identified the person responsible for the data breach?

Victoria Police have charged an individual in relation to the data breach, and the case is expected to go to trial this year. As the matter is now before the courts, Melbourne Polytechnic is not in a position to provide any further information concerning the case.

Has any of the information accessed in the data breach been used for illegal activity?

We do not know if information accessed in the data breach has been used for illegal activity. Melbourne Polytechnic does not have access to that information.

However, all data breaches should be treated with the utmost seriousness, which is why Melbourne Polytechnic is actively working to ensure affected people are aware of the breach and providing information about the actions they need to take to protect themselves.

When and how is Melbourne Polytechnic letting people know about the data breach?

In March 2020, Melbourne Polytechnic has written to all people affected by the data breach. Letters have been tailored to each person. A summary of the specific types of information that was accessed in the breach for that person is included in each letter. This enables affected people to understand the degree to which they have been affected and what actions they should take.

Along with the letter sent to each affected person, Melbourne Polytechnic has provided a Cyber Security Information Sheet, with recommendations by IDCARE (Australia's national identity theft and cyber support service), advising what actions they should consider to protect themselves as a result of the breach.

Melbourne Polytechnic has also submitted official notification of the breach to the Australian Information Commissioner, Office of the Victorian Information Commissioner and the Health Complaints Commissioner. The Victorian Department of Premier and Cabinet, and the Department of Education and Training are also aware of the breach.

What actions has Melbourne Polytechnic taken to increase its cybersecurity?

Melbourne Polytechnic routinely works on upgrading its cybersecurity. This work has been further accelerated since the Institute became aware of this breach. Upgrades include both software and hardware improvements designed to make it harder for this type of data breach to occur again.

Did the data breach comprise student performance records?

The data breach did not affect the system where Melbourne Polytechnic holds its students' performance records.

Will the data breach have any impact on student results or qualifications?

No. As the data breach did not impact the system where student performance results are held, there is no impact on student results or qualifications.

What should people do if they have been notified that they were affected by the breach?

A letter has been sent to all people affected by the breach. The letter details the specific types of data that was access as a result of the breach for that person. Included with the letter was a Cyber Security Information Sheet, which contains recommended actions that people should consider in order to protect themselves as a result of the breach.

form

Contact Us

Please complete this form if you would like to speak to a member of the Cyber Support Call Centre. A team member will contact you at your preferred time, between 9.30am and 4pm Monday to Friday.

Phone number a Call Centre Team Member can contact you. Please include area code.
The email address to be used for contact by a Call Centre team member.
Select preferred business day/s and time/s for a Team Member to contact you