Fire Rescue Victoria has warned current and former staff, as well as job applicants, that their information “may have been accessed or stolen” in an attack at the end of last year.
The agency late last week notified the Office of the Australian Information Commissioner that employee data was likely breached.
The agency first revealed it had taken systems offline on December, 15 and on December 16 confirmed it had suffered an attack.
A week later, Fire Rescue Victoria (FRV) confirmed that some of its information had been compromised in the attack.
“It is a complex task to identify what information has been stolen and we have engaged specialists to assist with this analysis,” the agency said.
FRV also hinted that information had leaked, adding: “We strongly discourage the media and anyone else from searching for or accessing sensitive or personal FRV data and to refrain from contacting our employees directly.”
The update warns: “it is an offence to buy stolen credentials and those who do face a penalty of up to 10 years’ imprisonment”.
Last Friday, FRV went public with its OAIC notification, saying, “We have reasonable grounds to believe that information may have been accessed or stolen by a malicious third party.”
Information accessed could have included personal information about “current and former employees of FRV and the former Metropolitan Fire and Emergency Services Board (MFB), individual contractors and secondees from other organisations to FRV and the former MFB”, as well as job applicants “excluding firefighter recruit applicants”.
Those affected will be offered IDCARE and Equifax services paid for by FRV.