Data Breach by Third-Party IT Provider

Data Breach by Third-Party IT Provider

On Sunday, 3 December 2023, the Architects Accreditation Council of Australia (AACA) became aware of a cyber incident affecting our third-party IT provider.

To safeguard all those who interact with AACA, including our members, our people, and others, AACA immediately initiated an independent investigation into how individuals may have been impacted by this incident.

Key lines of AACA’s inquiry into this incident include what types of data may have been accessed and stolen, the scope and scale of this data, whether any of this data is of a sensitive or personal nature, and what steps AACA’s third-party provider has taken to safeguard AACA and our broader professional community.

The AACA has worked closely with external cyber security experts and relevant Australian Government agencies and regulators. We thank them for their support since first notifying them of the incident.

Impact on individuals

On 22 December 2023, this independent investigation confirmed the individuals who have had personal information unlawfully accessed and stolen by cyber criminals seeking to extort our third-party provider.

If your information has been impacted, the AACA will notify you directly.

AACA has received assurance from its third-party IT provider who suffered the breach that all reasonable steps to resolve the matter and mitigate the risk of further misuse of the impacted dataset have been taken. The third-party IT provider has not discovered any evidence to suggest there has been or will be any future misuse of the data.

Supporting you

We know this information may be distressing and AACA apologises for any concern this news may cause.

We want to assure you that AACA is doing everything we can to support and protect all individuals who interact with AACA.

If you have any questions or concerns, please do not hesitate to contact AACA via email: [email protected].

KEY Q&As

  1. What happened? Was AACA the victim of a cyber incident?

On Sunday, 3 December 2023, the Architects Accreditation Council of Australia (AACA) became aware of a cyber incident affecting our third-party IT provider. This incident did not impact core AACA systems or networks.

We made a statement about this at the time, which you can read here.

  1. What have you done in response?

To safeguard individuals who interact with AACA, AACA immediately initiated an independent investigation into how applicants, members, and others may have been impacted by this incident. This investigation is now complete and affected individuals have been notified directly.

As a result, the AACA has commenced a review into our internal processes, including what data we store and how we store it.

  1. Did you notify the Australian Government? Which agencies?

The AACA and our third-party IT provider alerted the Australian Cyber Security Centre, the National Office of Cyber Security, and the Office of the Australian Information Commissioner. We thank them for their support since first notifying them of the incident.

  1. What data has been impacted?

Impacted data includes information collected for AACA accreditation and assessment purposes. Where we have confirmed that core identity information has been impacted, including identity documents such as passports, AACA will contact you directly.

  1. Who was behind this incident?

As the incident impacted a third-party IT provider, it would be inappropriate for the AACA to comment further.

  1. Who was the impacted third-party IT provider?

To ensure the integrity of their internal investigations, it would be inappropriate for the AACA to comment further.

  1. Why didn’t you tell me about this earlier?

AACA became aware of the incident on Sunday, 3 December 2023. We began the process of notifying our stakeholders at the earliest opportunity, and first acknowledged the breach via a statement on our website on Wednesday, 6 December 2023.

  1. What do I do if my data has been impacted?

If your data has been impacted, the AACA will notify you directly.

You can also find more information about protecting yourself online at cyber.gov.au and at scamwatch.gov.au.

If you have any questions or concerns, please do not hesitate to contact AACA by email into our dedicated mailbox: [email protected].

Previous AACA CHRISTMAS SHUTDOWN NOTIFICATION
AACA logo white

Architects Accreditation Council of Australia
Gadigal Country
Suite 3, Level 5, 75 Castlereagh Street
SYDNEY NSW 2000

Located on Gadigal Country, the AACA acknowledges the Traditional Custodians of Country throughout Australia and their connections to land, sea and community. We pay our respects to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander peoples today.