In late February we became aware that, as a result of phishing scams, certain staff email accounts had been compromised by a third party. Phishing scams are attempts to trick someone into disclosing their personal information, such as bank account numbers and online login usernames and passwords. We are also aware that a number of companies in Australia had been subject to similar cyber-attacks during the relevant period of time.
Immediately following this discovery, we took steps to secure our dealership email accounts. We investigated the incident and believe the unauthorised access was for the primary purpose of sending phishing emails to our valued customers and associates.
Since that time, we have been working closely with our own IT team, as well as external IT, forensic and cybersecurity experts, to investigate and contain the incident and minimise the associated risks.
We have also notified the Office of the Australian Information Commissioner (OAIC), the Australian Cyber Security Centre and Victoria Police.
Our focus has been to clearly identify who has been potentially affected and to identify exactly what information, contained in our systems, may have been accessed. After becoming aware of the incident, we, at Mercedes-Benz Melbourne, took the following steps.
- blocked the unauthorised access to our systems and isolated and forensically saved the compromised email account;
- conducted a detailed investigation into the incident, including an audit to identify the personal information potentially accessible to the unauthorised users;
- increased cyber security measures across the whole organisation;
- engaged our information security department to monitor online environments for any suspicious activity involving customer personal information;
- engaged IDCARE (a national identity and cyber support service, see https://www.idcare.org/) to assist in understanding the risks to personal information and to identify available precautionary measures open to affected individuals wishing to address those risks; and
- notified government regulators (including the OAIC) as mentioned above.
While we have no evidence that any personal information has been stolen and misused. However, as we take our privacy obligations very seriously we have taken steps to notify impacted persons, in keeping with the abundance of caution we mentioned.
Determining the persons impacted and the information involved is the result of a rigorous audit and review process (both automated and manual) conducted across affected mail data by experienced forensic advisors who specialise in this work using reliable and industry-standard techniques.
Without delay, and as expeditiously as possible, we have taken steps to directly notify impacted persons as to what has occurred and what information of theirs was exposed.
On behalf of Mercedes-Benz Melbourne, I unreservedly apologise for this incident. For further information I encourage you to review the contents of this site which contains FaQs, contact information, and additional resources you may find useful in considering further measures to take in protecting personal information.
Dealer Principal Mercedes-Benz Melbourne