15 January 2025
Victorian schools data breach
Hackers have accessed the information of current and past Victorian government school students in a major data breach.
While it appears that the data involved in the breach was limited to basic information like name, email address, password, and year level, the Victorian schools affected have been extremely lucky.
Some data collection is necessary. Schools need to record basic information about their students. What is not necessary is the routine accumulation of excessive, intimate and granular data that later becomes a liability when leaked.
Every time there is a data breach we must ask how much data is enough? The safest data is that which is not stored. Australia needs a default policy of data minimisation, with a regime of cybersecurity with penalties for organisations and companies who don’t comply.
This data breach also highlights the need to update our privacy laws, given schools are covered by state laws which offer only limited redress when data breaches like this occur.
Digital Rights Watch also notes the need for a strong Children’s Online Privacy Code to protect children and their data.
Quotes attributable to Tom Sulston, Head of Policy:
“These schools are lucky the data breach wasn’t worse, and we still can’t be sure the data is being used in nefarious ways through data matching and on-selling for the purposes of scamming and identity theft.”
“What this, and every data breach, shows is that we need a default position of data minimisation across every organisation and company in Australia, strong penalties for organisations that fall below best practice cybersecurity, as well as robust right to delete laws meaning anyone can request the deletion of their data and have it enacted.”
Media contact for interview:
media@digitalrightswatch.org.au
Tom Sulston: +61 448335466