Statement from the Chief Executive Officer Moyne

Published on 17 March 2023

Moyne Shire Council has made a formal notification to the Victorian Information Commissioner and Department of Education and Training following a cyber-security incident at the Koroit Kindergarten.

On March 3 an unauthorised third party gained remote access to an electronic device at the kindergarten which stores enrolment information of children for approximately ten minutes.

Once identified, Council IT staff attended the kindergarten, isolated IT systems and collected all devices on site while waiting for advice from the Australian Cyber Security Centre – Cyber Incident Response Service.

Further analysis of all devices on-site has confirmed no information was downloaded or transferred to external parties. Despite this Council is obligated to make a formal report and has done so.

Families have been notified of the incident and a full briefing has been provided to Councillors and the Audit and Risk Committee.

Immediate actions following the incident have been to install further security features on all devices and staff will undergo refresher training in cyber-security procedures.

Council will now work with relevant bodies to complete a full review of the incident and will implement any recommendations made by the Cyber Incident Response Service, Office of the Victorian Information Commissioner and Department of Education and Training.

Council takes cyber security and the protection of data seriously, we are committed to full compliance with our obligations under the Privacy and Data Protection Act 2014.

Prior to this incident work was already underway to strengthen systems, policies, procedures and staff training given the changing way cyber-criminals are attempting to access data. This work is ongoing and will now incorporate any recommendations from the review of this incident.