Data breach at Bega Valley Council's after-hours customer service provider

Bega Valley Shire Council’s after-hours customer service provider has suffered a data breach, but Council has moved to reassure residents that no information from the shire’s customers has been compromised.

On Tuesday (23 April), OracleCMS told Council there had been a “low level” data breach during the week of 15 to 21 April. Council then announced the news to the community the next morning (Wednesday).

OracleCMS is Council’s after-hours customer service provider.

When people call Council’s customer service line outside business hours, the call is diverted to the company, which describes itself as “one of Australia’s leading outsourcing providers”.

A council spokesperson confirmed OracleCMS did not have access to customer financial data or bank account details, and that no Bega Valley Shire Council customer data was compromised.

“The compromised data has been shared with Bega Valley Shire Council and Council has undertaken a review of all data to validate this statement,” Council’s CEO Anthony McMahon said.

“OracleCMS did not store resident data in the compromised repositor.

“Data collected by OracleCMS is for the purpose of providing council with enough information to respond to the resident or incident in the following business period. Callers are given the option to provide contact details.”

The council spokesperson said Council was working with the provider to determine the exact extent of the data breach and was aware that several other local and city councils had been impacted by the breach.

Mr McMahon said Council had stopped using OracleCMS’s service and would operate its after-hours service inhouse.

“We will continue this while the cause is investigated and until we are satisfied OracleCMS is adequately mitigating the risk,” he said.

“We will provide a further update as new information becomes available.”

OracleCMS was contacted for comment. In an online statement, the company said a third party had gained unauthorised access to a portion of its data and published files online.

“Upon discovery, OracleCMS engaged external cyber security experts to help us secure our systems and investigate the incident,” the statement says.

“Available evidence suggests that the impacted data is limited to corporate information, contract details, invoices, and triage process workflows.

“Any personal information, if present, is anticipated to be basic contact information as appears in contracts and invoices. We are advised that this data presents a low risk of misuse.”

The Office of the Australian Information Commissioner (OAIC) said OracleCMS had notified their department about the breach.

“The OAIC reviews all data breach notifications we receive to ensure the requirements of the Notifiable Data Breaches scheme are met and to identify whether there are any acts or practices that may warrant further regulatory action,” an OAIC spokesperson said.

“Since the Notifiable Data Breaches scheme commenced in 2018, the OAIC has been notified of around 5500 data breaches. Around 40 per cent of data breaches have been the result of cyber security incidents.”

The spokesperson said advice for individuals on responding to data breaches is on its website.