VBA Plumbing Audit Data Incident FAQs

VBA Plumbing Audit Data Incident Statement

How did the exposure occur? Why was the data uploaded to the server?

A third-party vendor contracted by the VBA uploaded the data to their US-based server without notifying the VBA of their intentions or receiving authorisation from the VBA.

The technology company is assisting the VBA with our investigation.

When was the data available online?

The data was available over a 17-day period from 26 November to 12 December 2018.

Were any financial data, banking account or credit card details involved in the incident?

No financial details are recorded in this database and, as such, no financial records have been exposed.

Were VBA IT systems impacted by the exposure?

No VBA IT systems were involved.

What information did the data contain?

The data contained the names of Victorian plumbing practitioners and VBA plumbing inspectors, their telephone contact numbers, site addresses and details of rectification order numbers.

Was the data downloaded or accessed?

The VBA has been advised by the third-party technology company responsible for the exposure that there is no evidence that any data was downloaded. However, the data may have been accessed/viewed during the period in which it was accessible.

What data was exposed?

The data relates to some plumbing audits and drain inspections dating to 2011.

What data fields may be included in the data?

  • Inspection Number
  • Parent Inspection Number
  • Date/Time/Length
  • Compliance Certificate
  • Consent to Connect
  • Practitioner ID
  • Practitioner Name
  • Practitioner Address
  • Practitioner Phone/Mobile/Fax
  • Property Address
  • Lot/Street Address
  • Mandatory Drain Inspection
  • Work Codes
  • Audit Completed

How many plumbers may be affected?

The VBA believes around one-third of all registered and licensed plumbing practitioners may be affected by this incident.

Initial notification was received on 26 November 2018

The VBA was notified of a data exposure by a security researcher on 26 November 2018.

On Tuesday, 27 November 2018, the information was assessed, and the VBA confirmed that its IT systems were secure.

Further information was provided on 10 December 2018

On 10 December 2018, further information was provided to the VBA regarding the data exposure. This lead the VBA to identify the external source of the data on an unsecured server in the United States. The data was secured by 12 December 2018.

Can my identity be misused with information from the affected data?

Following the incident, the VBA sought advice from IDCARE, Australia and New Zealand’s national identity compromise and cyber security support service, to assess the direct risk of identity misuse from the available data.

IDCARE has assessed this risk as very low.

IDCARE recommends that impacted individuals are reminded of the need to be vigilant when it comes to unsolicited communications via telephone and email. Whilst the direct risk relating to identity theft appears very low (i.e. not very likely), a risk nevertheless does present to members relating to fraudulent social engineering where third parties may identify relevant contact information through further searching of public systems and make contact via phone or SMS to attempt deceptive conduct (e.g. telephone scams).

Have my bank account or credit card details been stolen or compromised?

No financial information was stored in the affected data.

Has the VBA’s Licence and Registration database been compromised?

No internal VBA IT systems have been affected or compromised.

Are the VBA’s IT systems secure?

The VBA’s IT systems were not compromised.

What authorities have been notified of this data exposure?

The VBA notified the Office of the Victorian Information Commissioner of this incident on 13 December 2018.

What is the VBA doing to prevent this from happening again?

The VBA has engaged cyber security experts to assist with its investigation and undertake a review of information security practices.

Who can I contact for more information?

If you require more information about the affected data or this incident, please call the VBA Plumbing Audit Data Incident Support Line on 1800 957 443. The line will be operating 24 hours a day, 7 days a week.

What can I do to protect my personal information online?

An incident such as this is a timely reminder that we all need to be vigilant when it comes to unsolicited communications via telephone and email. As always, this includes looking out for potential spam emails and suspicious phone calls that might attempt to gather personal information from you.

You can find additional guidance on how to protect your identity and respond to identity concerns by reading the Office of the Australian Information Commissioner’s data breach guidance for individuals and visiting IDCARE’s Learning Centre.

If you are concerned about your privacy, please contact the Office of the Victorian Information Commissioner by calling 1300 006 842 or emailing enquiries@ovic.vic.gov.au.