IDCARE as Australia’s national identity and cyber support community service has been engaged by Western Sydney University (WSU) to assist individuals who have concerns about the exposure of their personal information.
WSU have prepared a response page on their website. Keep abreast of developments in relation to this cyber incident by visiting WSU's website.
IDCARE is an independent charity focused on supporting community members that have concerns about their personal, account or credential information.
We have been asked by WSU to extend our support to impacted persons via the provision of expert advice and IDCARE specialist Case Management services are available.
Note that IDCARE's National Case Management specialises in cases where individuals believe they have experienced identity exploitation and misuse or have grave concerns about this risk.
IDCARE Case Managers work every day with community members who experience the compromise or exploitation of their personal information. They understand the real risks, concerns and needs of our community.
General recommendations are provided below. If you have specific concerns or seek further guidance on the recommendations, please submit an Individual Get Help Form and use the reference code provided in your notification.
The exposure of personal information such as name, date of birth, and contact details can heighten risks around scammer engagement. In fact, notifications about a breach itself can also heighten risks, as scammers can seek to impersonate the breached organisation when engaging with notified persons.
Remain scam vigilant by:
Assuming that communications you receive may be from a scammer.
Make your own enquiries using an alternative contact method to the one they used.
Never give remote access to your devices if asked by someone who engages you.
Keep your passwords and codes to yourself. Sharing these with scammers may mean you breach the terms and conditions of the account providers (such as your bank) and any chance of recovering funds highly unlikely.
Staying abreast of the latest scams by visiting Scamwatch or by subscribing to IDCARE’s free community awareness bulletin, Cyber Sushi
If you believe you have responded to a scam engagement, please complete an IDCARE Get Help form to request assistance.
IDCARE has formed response recommendations relating to the credentials potentially exposed as a result of the WSU cyber incident. WSU has informed IDCARE that not all attributes were exposed for each individual impacted.
The WSU notification will contain any available details on specific data categories that may have been compromised. If you have any questions on actions you should take, please contact IDCARE with your query via our Get Help page and we will advise you
Potential Risks
Individually full name is a low risk identity attribute, however in combination with other information (such as address and phone number) scammers engaging you may appear more legitimate.
Recommendations
You may see an increase in targeted phishing attempts via email, text messaging or telephone calls, where the scammer uses details specific to you (such as your name and date of birth for “verification”). For more information on phishing watch IDCARE's what is phishing video here --> https://www.idcare.org/how-to-videos/what-is-phishing.
Never click on links in emails or text messages, no matter how legitimate they appear. Do not be pressured to respond, whether it is by email, text message or telephone. If you want to know whether an organisation tried to get in touch with you, contact the organisation yourself using contact details you know are correct.
Keep being scam vigilant and stay across the latest scams by regularly visiting idcare.org, connecting with our social media, and subscribing to our free online newsletter Cyber Sushi. Another great resource is Scamwatch that collate lots of information and alerts about scams.
Information
The physical address will be the one provided to WSU.
Potential Risks
For most individuals, physical addresses are considered low risk identity attributes. However, in combination with other attributes (such as your full name, date of birth, email address and phone number) scammers engaging you via email, SMS or telephone may appear more legitimate.
Reports made to IDCARE of cyber criminals physically attending a person’s address are very low. Most scammers and cybercriminals are not in Australia.
Some people can have specific concerns about the exposure of their address details, such as survivors of family and domestic violence or as a result of other personal reasons.
Recommendation
If you would like to discuss concerns about the compromise to your address, please submit a Get Help for Individuals Form and a case manager will get in contact with you. If you have imminent concerns about a risk to your physical safety, please contact police immediately.
Information
The phone number will be the one provided to WSU. This could be your mobile or a landline/home phone number.
Potential Risks
The exposure of a phone number can leave you open to being targeted by spam or scam phone calls.
These can appear to be from legitimate phone numbers with local area codes.
They often claim to be an authority or organisation, such as the police, a telecommunication company or a government entity.
The scam-caller may frame the call with a sense of urgency, either in order to avoid a penalty (such as a payment or fine) or to receive a reward (such as a discount).
Scammers may send fraudulent SMS messages to the phone number. These may impersonate a legitimate organisation and include a link to a malicious download or scam website.
For more information on SMS scams please visit IDCARE's fact sheet --> https://www.idcare.org/fact-sheets/sms-scams.
Recommendations
Keep being super vigilant about scams, particularly telephone and SMS scams. Having a little bit of information exposed (such as your full name, address, date of birth, or phone number) can make the job of scammers much easier when convincing people about their deception.
Do not feel pressured to respond to a call or text message. If you think a call may be legitimate, hang up and call the organisation back using details that you know are correct. Do not accept that it is the real organisation because the Caller ID shows their correct number or name – these can be “spoofed” or masked to appear to be real.
Do not download apps or software (such as AnyDesk or TeamViewer), follow technology instructions, or allow remote access to your device to someone who has called you.
Do not click on links in text messages. Instead, contact the organisation using details you know are correct.
If you think a call may be legitimate, hang up and contact the organisation yourself using contact details you know are correct. Don’t automatically accept it’s the real organisation calling you because the caller ID shows their correct number or name: they can be manipulated to seem genuine.
Information
The email address will be the one provided to WSU.
Potential Risks
You may see an increase in email phishing attempts, particularly from scammers claiming to be from WSU. These emails may include malicious attachments, links to fake websites or may download malware onto your device. They may encourage you to update or verify your details or to access a reimbursement via a link.
There is also the risk that your email address may be “spoofed” so that it appears to the recipients that the email came from you.
Additionally, there is the potential for extortion attempts, whereby a criminal claims to have access to your information and threatens to release it unless you provide payment. It is important not to comply with such requests, no matter how convincing they may appear.
Recommendations
Continue being super vigilant about scams and phishing emails. Having a little bit of information exposed (such as your full name, date of birth, email address or phone number) can make the job of scammers much easier when convincing people about their deception.
Beware of phishing emails, including those asking to update billing details, pay invoices or apply for reimbursements.
Never click on links in unsolicited or unexpected emails, no matter how legitimate they appear.
Do not be pressured to respond to emails. Instead, contact the organisation directly using contact details you know to be correct.
Use an up-to-date antivirus application that includes email protection and scanning.
Information
The email address will be the one provided to WSU.
Potential Risks
If you have stored identity credentials in your email inbox, particularly government-issued documents such as your passport, Medicare card or driver licence, there is a risk that these may have been compromised, and a subsequent risk of misuse.
Recommendation
If you have concerns about your identity documents being compromised, please submit a Get Help form on the IDCARE website (using the referral code WESSYD24) and a case manager will assist you.
Information
Medicare card details provided to WSU may have been compromised in this breach.
Potential Risks
Services Australia advise that your Medicare account cannot be accessed with your Medicare card number alone, nor can the card number by itself be used as a proof of identity within their organisation, however, some organisations may accept Medicare card details for the establishment of new credit or debit accounts.
Replacing your Medicare Card
If you are concerned about your Medicare card, you can request a replacement card through your MyGov account or via the Express Plus Medicare mobile app. You will receive confirmation of the request and the new card details will be issued and available to be noted down for use until the physical card arrives. Alternatively, you can use a digital copy of the card through the app. If you prefer, you can call the Medicare General Enquiries line on 132 011 (available 24/7) to order a replacement card.
As a precautionary measure, you may also wish to consider requesting credit bans to protect against credit misuse attempts and checking your credit reports to ensure there are no indicators of credit misuse.
Information
The Tax File Number will be the one provided to WSU.
Potential Risks
In conjunction with other information, your tax file number may be used to submit fraudulent tax returns in your name and/or register or re-register Australian Business Numbers in order to submit GST refunds. There is also a risk of an ATO link being created with a myGov account.
Recommendation
You are not required to contact the ATO in relation to this matter unless you wish to. ATO can be contacted via their Client Identity Support Centre on 1800 467 033 Monday to Friday 8:00am–6:00pmAEST. Please be advised in some cases the security measures implemented by the ATO in response to a compromised TFN may result in tax related services being unlinked within the MyGov portal. It may also mean you need to call the ATO prior to submitting your tax return to have restrictions temporarily lifted on your account.
Information
The Passport details provided to WSU.
Potential Risks
Passport details can present a potential risk of identity misuse. The document can be used as a form of ID to establish new accounts in a person's name, and in some cases, deceive either a person or an organisation into providing access to existing accounts.
Rarely does IDCARE hear from community members who have exposed passports about the use of their passport at the border by someone impersonating them to travel. Border security have measures in place to ensure only the legitimate passport holder can use the passport details for travel purposes.
Recommendations
As a first step, we recommend you consider credit bans and credit reports as precautionary measures to protect against credit misuse.
Information
Driver licence details provided to WSU.
Potential Risks
The greatest risk of misuse of a driver licence is when the driver licence number (CRN) and card number have been compromised. Protective measures have recently been implemented to assist in mitigating fraudulent identity misuse of driver licences, whereby both numbers on your driver licence, specifically, the driver licence number (CRN) and the card number, are required to pass a Document Verification Service (DVS) check.
Recommendations
As a precautionary measure, you may wish to consider credit bans and credit reports as additional measures to protect against credit misuse.
Information
Bank account details provided to WSU.
Potential Risks
Although a BSB and account number does not present a direct financial misuse risk, the BSB does identify who the financial institution is. This may make impersonation scam attempts appear more legitimate.
Recommendations
You may wish to contact your financial institution to inform them of the breach and seek advice in relation to any additional security measures that may be required.
Information
Some of the information exposed in this breach was in relation to medical information, including doctor’s certificates.
Potential Risks
Whilst this information does not pose a direct identity related misuse risk, we acknowledge that for some people there may be concerns that arise due to the sensitivities associated with the exposure of personal health information.
Recommendations
If you would like to discuss concerns about the compromise to your medical records and health information, please submit a Get Help for Individuals Form and a case manager will get in contact with you.
Information
Some of the information exposed in this breach was in relation to workplace conduct related matters, including workplace complaints and supporting documentation.
Potential Risks
Whilst this information does not pose a direct identity related misuse risk, we acknowledge that for some people there may be concerns that arise due to the sensitivities associated with the exposure of personal information.
Recommendations
If you would like to discuss concerns about the compromise to your workplace conduct information, please submit a Get Help for Individuals Form and a case manager will get in contact with you.
Information
Some of the information exposed in this breach was in relation to superannuation information.
Potential Risks
Your superannuation information may be used to undertake unauthorised financial activities.
Recommendations
Contact your superannuation provider and explore with them what additional security measures they may have available to protect you.
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations.
We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page.
If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.
IDCARE has access to the Department of Home Affairs Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers.
A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).
The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.
The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.