What has happened?
In late February we became aware that certain staff email accounts had been compromised by a third party as a result of phishing scams. Phishing scams are attempts to trick someone into disclosing their personal information, such as bank account numbers and online login usernames and passwords.
How many accounts were compromised?
Extensive forensic investigations revealed that two email accounts were subject of unauthorised access.
Has information been accessed?
With the support of specialist external forensic experts, it is not possible to conclusively determine if any of the information contained within the email accounts were extracted (ie. stolen) by the unauthorised user. Whilst there is no evidence of its misuse, we have made the determination that if, as a result of unauthorised access, information contained within an email account may present a risk of harm if exploited by a third party it warrants a disclosure to impacted persons.
How do I know if I’m impacted?
As a precautionary measure we have made it a priority to expeditiously inform individuals that have had information, that may present a risk of harm from its misuse, contained within the email accounts. If you have received a notification in relation to this incident it means your personal information has been found in the impacted email accounts, and that this notification lists such information.
What has Mercedes-Benz Melbourne done to improve its cyber security?
- blocked the unauthorised access to our systems and isolated and forensically saved the compromised email account;
- conducted a detailed investigation into the incident, including an audit to identify the personal information potentially accessible to the hackers;
- increased cyber security measures across the whole organisation;
- engaged our information security department to monitor online environments for any suspicious activity involving customer personal information;
- engaged IDCARE (a national identity and cyber support service, see https://www.idcare.org/) to assist in understanding the risks to personal information and to identify available precautionary measures open to affected individuals wishing to address those risks; and
- notified government regulators (including the OAIC) and law enforcement.
What support is available?
You may also contact IDCARE via the referral code IDC-MBZ via its online Support Request Form (https://www.idcare.org/contact/get-help). IDCARE’s Case Managers are available from 8:00am – 5:00pm M-F AEST if you would like to speak to someone about specific identity risks or concerns you may have. IDCARE has further resources available at its online Learning Centre which can be found at https://www.idcare.org/learning-centre/learning-centre.
Has this incident been reported to authorities?
We have also notified the Office of the Australian Information Commissioner (OAIC), the Australian Cyber Security Centre and Victoria Police. This report number may be used by impacted individuals, if they require it, as part of additional identity protection measures they may wish to put in place.
What Can I Do To Protect Myself
Some people impacted by this incident may wish to take additional measures or steps to protect their personal information. IDCARE, Australia’s leading national identity and cyber support service for the community, has provided the Mercedes-Benz Melbourne with the following information on signs of identity theft and misuse and how individuals can further protect their personal information.
Signs of identity misuse include:
- You notice transactions from your bank accounts and cards you did not initiate.
- You receive an unsolicited email, phone call or SMS by people who claim to know you, or are impersonating government or business, asking you to provide further information, including payment details, credential information or other identity details.
- You receive a bill in the mail for a service you did not request.
- You are locked out of your email account, social media, online banking, or permanently lose your mobile phone signal.
- Your friends, relatives or work colleagues are enquiring about an email or social media post you apparently sent that you had nothing to do with.
What Additional Measures Can I Take to Protect Myself?
Depending on the type of information that may have been exposed, IDCARE recommends you consider the following proactive measures.
To view the IDCARE credit ban fact sheet, please click here
- Inform your financial institution that your personal information may be at risk of identity misuse and ask them what additional measures they recommend.
- An incident involving a credit card does not automatically mean that the credit card will be cancelled and a new one reissued. Talk to your institution about your options.
- Change any online banking passwords and if you haven’t already, explore whether your online banking has multi-factor authentication security (such as using a token PIN or SMS code – in addition to your username or account ID and password).
- Check out your Credit Reports for any unexplained credit checks. Every Australian can get free access to their credit reports. You may have four different credit reports from each of Australia’s four separate credit reporting bureaus. To apply for your credit report follow the steps in IDCARE’s Fact Sheet – Credit Reports Australia.
- If you have a foreign passport or driver licence talk to IDCARE about your options (submit a support request form and use the referral code IDC-MBZ via https://www.idcare.org/contact/get-help.
- If you find entries on your credit report that cannot be explained or are incorrect, such as a different address, please contact IDCARE who can work with you to respond to any such findings.
- If you think you may experience misuse involving credit, you can also apply for a Credit Ban with each of Australia’s credit reporting bureaus. Like credit reports, credit bans are free under Australian privacy laws. They sound bad, but a credit ban will prevent credit providers from accessing your credit report as part of a credit check. This helps to safeguard against anyone using your information to fraudulently take out credit in your name. Credit bans won’t upset any existing credit lines you may have, such as credit cards and loans. They are only in place for 21 days in Australia, but you can ask for an extension if you think you face an enduring risk and provide a police report number. To apply for credit bans follow the steps in IDCARE’s Fact Sheet – Credit Bans Australia.
- Remain vigilant to unauthorised requests to port your mobile telephone number to another provider. If this occurs or your phone loses a permanent signal, contact your telecommunications service provider to confirm whether a request for porting has occurred, and if so, request a reversal.
How to protect my ID information?
If you were notified that your driver licence information was exposed you may wish to contact your driver licence issuer, but please note that unless you have detected any misuse involving your licence number, the licence itself will not be replaced with a new number. If you have specific concerns around identity misuse involving your licence we recommend you contact IDCARE by using the referral code IDC-MBZ via its online Support Request Form. IDCARE’s Case Managers are available from 8:00am – 5:00pm M-F AEST if you would like to speak to someone about specific identity risks or concerns you may have. IDCARE has further resources available at its online Learning Centre.
If your Medicare card details were identified as being exposed in the notification communication received, we advise you to contact Services Australia (formerly known as the Department of Human Services) Scams and Identity Theft Help Desk on 1800 941 126 between 9am to 5pm Monday to Friday. They can assist you in replacing your Medicare card and obtaining a new Medicare Card number.
If your Tax File Number was exposed the Australian Taxation Office has a Client Identity Support Centre that may be contacted on 1800 467 033 between 8am and 6pm Monday to Friday. The ATO can assist in placing further protective measure on your TFN.
How Can I Protect Myself from Scams?
It’s good cyber security practice to regularly change your online passwords. Password Managers can be really handy to manage multiple online account passwords.
Implementing multi-factor authentication on email accounts and other online accounts is also good practice.
Remain vigilant to telephone call, SMS and email phishing scams. You can report suspicious activity to IDCARE. One of their case managers will work with you to determine what it is, what it could be, and what can be done about it. You contact IDCARE by using the referral code IDC-MBZ via its online Support Request Form. IDCARE’s Case Managers are available from 8:00am – 5:00pm M-F AEST if you would like to speak to someone about specific identity risks or concerns you may have. IDCARE has further resources available at its online Learning Centre.
If you have specific concerns about your personal information, its protection, or need support in pursuing additional protective measures please contact IDCARE by using the referral code IDC-MBZ via its online Support Request Form. IDCARE’s Case Managers are available from 8:00am – 5:00pm M-F AEST if you would like to speak to someone about specific identity risks or concerns you may have. IDCARE has further resources available at its online Learning Centre.
Further information about scams is available via the Australian Competition and Consumer Commission’s Scamwatch website www.scamwatch.gov.au.
Information about your rights and protecting your identity can also be found on the Office of the Australian Information Commissioner’s website by Clicking here to View rights