Hackers stole 400 parents' credit card details from Melbourne's Mount Lilydale Mercy College

Mount Lilydale Mercy College, a Catholic high school near Melbourne, Australia, has suffered a data breach that compromised the credit card information of 400 people.

The college was made aware of the cyber attack by the Australian Federal Police (AFP) on January 11. An AFP spokesperson confirmed that the police alerted college authorities after receiving “information which indicated potential suspicious activity had originated from their network.”

The security incident impacted former parents whose credit card details were still available on the college file. Authorities confirmed that CVV numbers were not impacted by the breach.

According to Lilydale Mercy College principal Philip A Morison, the college authorities immediately started an internal investigation and engaged specialist cyber incident response experts, including cybersecurity analysts and forensic IT investigators, to understand the scope of the cyber attack.

“This has ensured we have taken all initial necessary steps as quickly as possible, aligned to cybercrime incidents such as these. We are confident our IT environment has now been safeguarded and the perpetrators locked out.

“Our cyber consultants, together with members of our College Leadership team, have been working together to learn how the breach occurred, ascertain precisely who is impacted, and specifically what information in relation to each person, has been accessed,” Morison said in a press release.

The high school said the 400 individuals, whose credit card details were compromised, have already been notified “in order for them to take personal mitigative action with their financial institutions, such as cancelling cards.”

“While I am told that even the most secure IT environments can potentially be hacked by something as innocent as one person clicking on a link in a phishing email, we will take learnings from the ongoing investigation and if there are ways to tighten our cyber security practices, we won’t hesitate to make changes,” Morison continued.

Mount Lilydale Mercy College emphasised that its investigation is still ongoing and it has already notified the Office of the Australian Information Commissioner, the Australian Cyber Security Centre, the Australian Federal Police, and the Australian Taxation Office about the security incident.

“We unreservedly apologise and are committed to keeping our College community informed and supported as investigations continue. I wholeheartedly apologise this has happened.

“Rest assured, we have the best cyber experts working with us on this matter and we are doing everything possible to handle this situation according to best practice for cyber incidents of this nature,” Morison added.