When Anna* received a letter from Victoria's fire service advising her personal information may have been stolen in a cyber attack, she wasn't too concerned.
The Melbourne woman had applied to become a firefighter with Fire Rescue Victoria (FRV) in 2021, along with more than 5,000 other hopefuls.
Anna had heard media reports about the cyber-attack on FRV in December last year, but the letter she received almost three months after the incident didn't offer much detail.
"FRV has reasonable grounds to believe that the personal information of firefighter recruit applicants may have been accessed or stolen by a malicious third party," reads the letter, dated March 8.
The letter noted FRV data had been shared on the dark web but did not specify the type of personal information at risk.
"They just told me that I'm part of a breach, they didn't tell me what information was breached," Anna said.
"I just kind of thought I'd given my name, address, phone number … I'd sort of forgotten how much information I had shared."
It was only when she was contacted by the ABC about the incident that Anna realised the extent of the data breach.
"I was shocked … I am just really angry, actually," Anna said.
"This is a state government body, why aren't they on top of what their state government bodies are doing with personal information?"
Not only did the potentially stolen data include identification and contact information, but also medical records, passport and driver's license details, Medicare numbers, Centrelink numbers and healthcare identifiers.
Reviewing her application documents, Anna realised she had shared a raft of sensitive information, including health information and superannuation details.
"I lost my business during the pandemic, so I've had to find different ways forward with my life and my last asset left is the super," she said.
"And that's the biggest worry, given the extent of all the other information they have."
Fire Rescue Victoria's communication under scrutiny
David Vaile, chair of the Australian Privacy Foundation, said FRV had failed to communicate to Anna what she needed to know to protect herself.
"It puts all the burden of trying to understand what has happened, onto the people who are least in a position to understand," Mr Vaile said.
"And the delay means that notification has lost its major benefit. This is almost a case study in how not to communicate."
Anna said she expected better from a government body, including more transparency about the attack itself.
"They were offered a chance to just pay a ransom and they chose not to. I think there's been a failure to tell us that," Anna said.
Toby Murray, an associate professor of cyber security at the University of Melbourne, said Anna had every right to expect full disclosure about the data breach.
"Traditionally, organisations have shared very little information at all when they've been attacked … but we've started to learn that we need to be sharing more information," Dr Murray said.
"And not only with individuals to help them better protect themselves when their data is exposed, but also so that best practices are established about the right way to respond to different kinds of attacks."
Data hack could potentially affect tens of thousands
Anna is just one of thousands of people who may had their data stolen, as a result of the December 2022 cyber attack.
Though the exact number is unknown, the data breach potentially affects anyone who has ever applied for a job or been employed by FRV or its predecessor the Melbourne Metropolitan Fire Brigade.
With more than 4,500 current employees and more than 5,000 yearly firefighter recruit applicants alone, the number potentially affected is in the tens of thousands.
Fire Rescue Victoria did not respond to the ABC's questions about the number of individuals it has contacted to warn about the data breach.
"We are deeply sorry this attack has occurred and are doing everything possible to prevent it from happening again," a FRV spokesperson said.
"We continue to encourage affected groups, including current and former employees and job applicants to make use of the identity and credit protection services FRV has provided."
Cyber-security experts also have concerns about the ongoing impact of the incident.
It has now been more than five months since the cyber attack paralysed FRV systems and fire crews are still being alerted to emergencies manually, via pagers, radio and phone.
The state government has insisted the ongoing IT outage has not endangered community safety, but Dr Murray questioned that.
"You've got these critical systems, especially the automated dispatch system, which has been taken offline," he said.
"They've said that it hasn't impacted public safety, but I personally wonder what might have happened if it had been a bushfire summer."
Dr Murray said the lengthy delay in restoring FRV systems was also surprising, with the recovery from similar attacks usually limited to a few weeks.
"This certainly does seem to be an outlier… I find it really concerning that a critical capability has now been offline for five months." he said.
The state government has indicated FRV's automated dispatch system will be restored in coming months, but no timeline has been given.
"The community can be assured FRV crews will always turn out when they are needed to protect life and property," a Victorian Government spokesperson said.
"Fire Rescue Victoria is continuing to restore, recover and rebuild systems as quickly as possible."
Challenges in responding to ransomware attacks
Building systems that can repel cyber-attacks, especially ransomware attacks, is a real challenge, said James Martin, criminology program director at Deakin University.
"There is a whole blossoming ransomware industry. This is one of the fastest growing cybercrimes in the world," Mr Martin said.
"It's a massive problem and it's only going to be getting worse."
Mr Martin said governments at all levels needed to focus not just on improving cyber security to reduce their system vulnerability, but also to rethink how they manage data.
"[They] need to treat data not just as an asset, but as a liability … if they're going to hold it, they need to think carefully about who has access and if there are proper privacy and security controls in place," he said.
"And then, similar to bushfires … they need to have a plan so when the worst happens, you've got ways to mitigate the damage."
Dr Murray agreed that planning for cyber attacks should be front of mind for governments, especially given critical services and infrastructure are increasingly being targeted.
"We've seen plenty of instances of hospital systems around the world being taken offline by ransomware attacks … that's obviously going to have an impact on the delivery of those critical services," Dr Murray said.
The ransomware group that claimed responsibility for the FRV attack is just one of many criminal groups targeting such critical services, Dr Murray said.
"They're got a history of targeting health services, for instance, as well as education services and local government," he said.
The same criminal group was behind attacks on dozens of US schools last year, which led to the public leaking of sensitive student data and an FBI warning for the entire educational sector.
Dr Murray said governments and their associated agencies, just like the private sector, needed to invest more to protect these critical systems and any sensitive data.
"We should expect those organisations who are demanding that information to protect it, and to not keep that data any longer than is absolutely necessary," he said.
* Name changed for privacy reasons.
