A resident of Moreton Bay, Australia was shocked to discover that the private information of several resident ratepayers in the region, including their friends and neighbors, had been accidentally published on the Moreton Bay council’s official website.
The leaked information included names, residential addresses, email addresses, and phone numbers, as well as resident complaints to the council and details about council investigations.
Data Breach Discovered By Local Resident
City of Moreton Bay resident Piper Lalonde, who works as a data analyst, had discovered the breach along with her husband. They were shocked to learn that their personal information was freely available on the council’s customer request online portal.
The couple had discovered that the information included their phone numbers, complaints, and requests that they had made for new bins, along with the GPS coordinates of where the requests had been filed. A further investigation into the breach had revealed that the personal information of some of their friends and neighbors who were fellow ratepayers were also available in the records after they conducted a search.
Piper reported this information to the council, with the website being taken down the next day. However, she was still unsatisfied with the lack of notification about the incident to impacted residents. Piper stated, “I would expect they’d have to send out some formal communication letting people know their information was publicly accessible, but there was no indication they were going to do that.”
She expressed concern about the possibility of people stumbling upon complaints made about them by other residents. She added, “If this gets in the wrong hands — it just takes one person to see a complaint about them, and who knows what they’ll do.”
City of Moreton Bay Responses to Data Breach
After Piper’s report, the website was said to be taken down. The site appears to be functional as of now, with some functions still limited. The website includes an official notice in response to the incident.
We are experiencing system difficulties with our customer request portal. Our third-party provider is investigating a possible information breach. The cause is yet to be determined but there is no indication this is a cyber attack. We will never contact you via unsolicited calls to request sensitive information. No action is required from you at this stage. We will continue to keep you informed.
The notice appears to indicate that the breach stemmed from a third-party provider. A council spokesperson disclosed the following information about the breach to the Cyber Express:
-
A low level privacy information incident occurred via our customer request portal.
-
The low level privacy information breach did not involve data being published on Council's website.
-
It included some personal information of approximately 100 customers.
-
No financial or sensitive information was accessible.
-
Council’s Privacy Team are in the process of communicating directly with the 100 affected customers and this will be concluded by COB tomorrow Friday 14 June.
The spokesperson further shared that the cause of the data breach incident was a system configuration error and not a cyberattack. The Council has now secured the customer platform and it is now back online. Only customers found to have been impacted would be directly contacted directly by Council.
The Moreton Bay Council has notified the Office of the Information Commissioner in Australia with details of the breach. “As always, City of Moreton Bay will never contact customers via unsolicited calls or texts requesting sensitive information. Please be assured that Council takes the protection of personal information seriously,” the council spokesman said.
*Update (June 13 – 6:35 AM EST): Added response from Moreton Bay Council spokesman
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
