Outabox data breach a timely reminder to prompt ECEC services to consider data safety

The issue of data security in early childhood education and care (ECEC) contexts is again back in the minds of leaders following the arrest of a Sydney man in relation to a major data breach which saw the personal details for up to 1 million New South Wales and ACT residents shared online.

The breach saw personal data – including names, addresses and other details accessed in an incident involving Outabox, an IT provider used by dozens of hospitality venues including hospitality giant Merivale.

Police are investigating whether a website may have been set up by the alleged perpetrator, which allowed people to search names in the leaked database, and returned redacted information about its contents. It is claimed that the website contained over 1,000,000 records.

It is believed that the incident relates to either blackmail or corporate sabotage, issues which could be replicated in the ECEC sector, particularly in services where data security is not a priority, or where updates to information technology hardware and software platforms are not kept up to date. 

“Attacks like this highlight the importance of ECEC providers taking IT and data security seriously,” Michael Lester, Director, Catalytic IT said. 

“On average, the cost of a cyber breach to a small business is around $40,000, and much more for larger business, not to mention the reputational risk, as consumers increasingly become aware of and punish organisations that do not take good care of their personal information.”

“The threat to all Australian organisations has increased, and yet statistics show that the source of these threats is often mitigated by good, basic, cyber hygiene and data security. Do not assume that you are too small to be targeted – attackers know the devastating impact they can have on a small business and weigh up the likelihood you will pay to get the business operational again.”

The need to secure data was confirmed by Detective Acting Superintendent Gillian Lister, who heads up the NSW Police State Crime Command’s cybercrime squad, who are investigating the Outabox incident. 

“Now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible,” she said.

“If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link,” the Detective added, urging businesses and citizens to report incidents of cybercrime through the Australian Cyber Security Centre or Scamwatch.

An Outabox spokesperson confirmed that it was aware of the potential breach, and was working as a matter of priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement.

For more information about the regulatory requirements around data protection please see here. Further advice and support is available here.