A significant data breach has exposed the private information of more than 1,200 Baw Baw Shire residents who contacted customer service after-hours over a nearly two-year period, the Baw Baw Shire council revealed. The breach occurred at OracleCMS, a third-party call center contracted by the council to field inquiries outside normal business hours. It reportedly does not impact the council's own systems and databases.

Over 1,200 Baw Baw Shire Residents Affected

The exposed information includes customer contact details and call notes—dates from June 2014 to January 2016 when customers rang the council hotline during evenings, weekends and holidays. Calls made during the specified period had been automatically forwarded to OracleCMS call agents. It remains unclear precisely how the contractor failed to protect confidential constituent information or when the company first discovered the breach. Upon learning of the breach earlier this month, Baw Baw officials urgently contacted every affected resident—over 1,250 in total—through SMS messages and personal calls to vulnerable groups like the elderly. While the breach did not infiltrate Baw Baw's systems directly with the council's own systems, it represents a alarming security gap by a third-party vendor given access to constituents' sensitive information.

OracleCMS Provider Implicated in Other Breaches

Authorities are currently investigating the incident, which may have also impacted other clients of the Australia-based company. OracleCMS provides outsourced contact center services for an array of local governments and organizations. OracleCMS had previously been implicated in a long list of data breaches affecting several different cities in Australia. According to some official press release statements, OracleCMS appeared to initially downplay the incident. An earlier release from Merri-bek City Council stated:

OracleCMS informed Council in April that there had been a cyber security incident where identifiable information of customers had been compromised. Until last week we were informed that Council’s customer data was not involved. Council has now been informed that the OracleCMS data breach does include records of calls handled by OracleCMS on Council’s behalf. We take the privacy of our customers very seriously and we are taking urgent action to address this issue.

The OracleCMS data breach also affected some businesses such as several entities belonging to Nissan in the Australia and New Zealand region, such as Nissan Financial Services Australia Pty Ltd, Nissan Motor Co. Pty Ltd, Nissan Financial Services, New Zealand Pty Ltd and Nissan New Zealand Ltd.

OracleCMS subsequently suffered a data breach, which it was alerted to on 15 April 2024. This separate incident resulted in certain data which was held by OracleCMS, including the summary information Nissan provided to OracleCMS, being compromised and published on the dark web.

As cyberattacks surge, some have questioned whether outsourcing critical customer service channels renders individuals and businesses more vulnerable to data theft. The incident serves as reminder for governments and organizations to lock down vulnerabilities present in third-party vendors or tools while conducting regular security audits. Residents with concerns regarding the breach may contact Baw Baw Shire Council’s customer service line at +61 3 5624 2411. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.