Names, addresses and bank statements of Tasmanian parents and students have been released online in a data breach involving at least 16,000 documents.
The documents were released by hackers as part of a cyber attack on a third-party transfer software used by the Tasmanian Department of Education, Children and Young People.
Science and Technology Minister Madeleine Ogilvie confirmed the documents, including invoices, bank statements, and names and addresses of people connected to the department, had been accessed by ransomware group Cl0p.
As investigations continue, she conceded the number of affected documents may increase.
She said Tasmanian schools had been contacted regarding the data breach, and a hotline —1800 567 567 — had been set up for individuals to contact if they were concerned their data had been accessed.
"My concern is for individual students, parents; we need to triage that; we'll be working through that," Ms Ogilvie said.
"If you see any activity that's unusual, your bank statements … please bring it forward, bring it forward to the authorities, contact the Australian Cybersecurity Centre or come directly to us through our number.
"It's a terrible thing. It's a crime. And it is a global problem that we're dealing with.
"I'm very, very concerned, and I have the deepest amount of sympathy and empathy for those who have been unwittingly captured in these document releases. "
The breach, which targeted third-party file transfer service GoAnywhere MFT, occurred last month, with the state government confirming on March 31 that its data had been accessed.
Ms Ogilvie said the government was continuing to use the software as part of "best practice" after a patch was applied to fix vulnerabilities.
"The particular incident was over ... four days. A patch was applied, and that problem was remedied," she said.
"What we're dealing with now is information that was transferred during that window."
Labor calls for Premier to step in
It is understood Crown Resorts and Rio Tinto are also victims.
Labor's Jen Butler said it was time the premier stepped in to "manage this crisis".
"What we know is potentially each primary school in Tasmania, every entity, every individual who's had anything to do with the Department of Education may be compromised, and that could put some people in a very dangerous situation," she said.
"We are aware that other organisations such as Rio [Tinto], which were also infiltrated by the same Russian hackers, have been contacted for ransom. That is part of the process of these very sophisticated criminal groups when they have that data.
Labor leader Rebecca White said she had requested a briefing from the government, saying it was a "serious situation" and parents were "rightly concerned".
Experts urge vigilance
Cyber security experts said the best way to stay protected was through vigilance, given the significant levels of personal data already in the community.
"There's nothing you can do other than [be vigilant] and understand these scams are out there," said Nikolai Hampton, security consultant and former director of Impression Research and Cyber Security.
He said the main challenge was the many ways the community was required to prove identity.
"You have information like your payment details, your home address, your birth date, your driver's licence number — all those things that become part of your identity record.
"So once it's out — you can't go changing your birth date all that easily … it becomes progressively more and more difficult.
"That kind of privacy, that horse has kind of already bolted in some ways."
So what could be the motivations behind such breaches, and what use is information like email addresses and phone numbers?
University of Tasmania senior lecturer and cyber security expert Joel Scanlan said the motivation of hackers could vary, but they were increasingly financially motivated — be that on a large scale or through identity theft.
"Fundamentally, it's a malicious act," Dr Scanlan said.
"In recent years, a lot more data breaches that we're seeing … [are] around breaches of privacy, breaches of confidentiality, trying to get a lot more information about individuals that they can then leverage to make money … whether it's identity theft or getting access to banking details to dry and drain those accounts."
More risk from more breaches
Mr Hampton said increasing numbers of breaches could help scammers potentially piece together bits of information gathered in different events.
"It becomes a problem that is compounded because the more they learn about you, the more influence they can have over you when they're doing social engineering-style attacks," he said.
"Everything they say and do can become more plausible."
The other challenge, he said, was that often the impacts of the breach were only seen much later — particularly if your data has been sold or passed on to other groups or scammers.
"They can have long-reaching effects for a very long time, because all it takes is some other scammer to harvest the data and then think of a novel way to use it."
However, Mr Hampton believed breaches were typically about quantity over quality rather than targeting individuals.
For example, if a collection of emails has been gathered, it does not matter if not everyone falls for a scam like being contacted by an official-looking account seeking some form of payment.
"If 99 per cent of people don't fall for [a scam but] hundreds of thousands of people are breached … then they're going to have success," Mr Hampton said.
Ransoms are also a key motivation.
"Their intention is to say, 'If you don't pay me, or don't pay our ransomware group $50,000, we're going to release the data, and it's going to be damaging to your organisation'.
"They're not specifically looking for your individual bank account or your individual email address. They're looking for any information that has value to someone else later on, like a scammer or an attacker.
"[The group] is trying to extort money from someone."
Monitor unusual activity
Dr Scanlan said there were ways to minimise the risk for people concerned about their data being caught in a breach.
"The fundamental way to protect ourselves is to be mindful of what data we have out there, to try to minimise as much as possible what's out there," Dr Scanlan said.
Changing passwords to email accounts if that information has potentially been taken and ensuring passwords aren't being repeated for different accounts were also options.
"Monitor for any unusual activity — have any other accounts been signed up to lately that you didn't sign up for yourself?
"If it's financial, it's a case of keeping a really close eye on your financial statements.
"Is anything being used? Has someone bought something with my credit card number?"
The investigation into the Tasmanian government data breach is being handled by the Australian Cyber Security Centre, with the government urging Tasmanians to stay alert for any suspicious activity or attempted scams.
