Canberra Tradesmen’s Union Club Cyber Incident FAQs 

Updated 29 July 2024 

General Information 

    1. What personal information of mine has been posted online?

      A: Based on information received by the impacted provider, only limited information was viewable on the offending website. This did not include sensitive identity information such as driver's license details or other sensitive data. The website is no longer accessible. 

    2. What happened in the cyber incident?

      A: On 29 April 2024, a cyber incident involving one of our former external service providers impacted the Canberra Tradesmen’s Union Club. The incident allowed limited information to be viewed on a website that is no longer accessible. The individual believed to be behind the incident is known, has been arrested and charged, with their assets seized. 

    3. Who was responsible for the incident?

      A: The individual believed to be responsible for the incident has been identified, arrested, and charged, with their assets seized. 

Data Security and Protection 

    1. What type of information was accessible?

      A: Based on information received by the impacted provider, the information accessible was limited and did not include sensitive identity information such as drivers licence details. The website is no longer accessible. 

    2. What data of mine was held on file by The Tradies?

      A: Thank you for requesting for a copy of your personal information that we hold. We would be grateful to receive this request via email so we can provide you with a copy of it. Please note the information that we will provide should not be taken as information of yours involved in the incident. For specifics about your data, please contact us at privacymanager@thetradies.com.au. 

    3. Why was my information stored if I have not been a member for several years?

      A: We engaged the services of the third-party provider in 2020, as a result of this we informed members who were financial members or in renewal between 2020 and the time of the incident. 

      For members who continue to press: Further to this, we have retained your personal information to the extent necessary to comply with our licensing requirements as a registered club in the Australian Capital Territory. 

    4. Was my personal information compromised? 

      A: Based on information received from the impacted provider, only limited information was viewable on the offending website, and this did not include any identity information such as driver's license details or other sensitive information. It is also important to note that

      • the individual believed to be behind the incident is known and has been arrested and charged, with their assets seized; 

      • the background circumstances of the matter suggest the individual’s motivations were not to misuse any personal information; 

      • the website is also no longer accessible 

        The above matters support the view that your information is not at risk. 

5. Is my information safe now? 

A. Based on information received from the impacted provider, only limited information was viewable on the offending website, and this did not include any identity information such as driver's license details or other sensitive information. It is also important to note that the individual believed to be behind the incident is known and has been arrested and charged, with their assets seized; 

  • the background circumstances of the matter suggest the individual’s motivations were not to misuse any personal information; 

  • the website is also no longer accessible 

  • The above matters support the view that your information is not at risk. 

    We have also enhanced our cybersecurity measures to further protect your information. This includes reviewing our internal IT security and data policies. 

6. Why were you storing driver's license details? 

A: We retain driver's license details to verify member identities and to comply with our licensing requirements as a registered club in the Australia Capital Territory. We are reviewing our practices to determine if retaining such information is necessary and exploring alternatives to reduce data retention. 

7. Can I get further information about personal information held by The Tradies? 

A: Yes, you can request specific details about your personal information by contacting us at privacymanager@thetradies.com.au. Please note the information that we will provide should not be taken as personal information of yours involved in the incident 

Incident Response 

  1. When will I know if my personal information has been accessed or stolen?

    A: Based on information received by the impacted provider, we understand that only limited information was accessible and did not include drivers licence details or other sensitive personal information. 

    It is also important to note that

    • the individual believed to be behind the incident is known and has been arrested and charged, with their assets seized; 

    • the background circumstances of the matter suggest the individual’s motivations were not to misuse any personal information; 

    • the website that initially allowed limited information to be viewed is no longer accessible 

      The above matters support the view that your information is not at risk. 

    2. Why did it take so long to inform us about the results of the incident?

    A: We commenced investigations as soon as we were informed of the incident on 29 April 2024. We needed time to thoroughly investigate the incident and gather substantial information to provide an accurate update. 

    • Further to this, as the cyber incident occurred to the impacted service provider’s IT systems, we were also reliant on information and investigations undertaken by the impacted service provider. We also note that there are ongoing criminal investigations and court proceedings. Nevertheless, we were committed to progressing the investigations as quickly and possible and we strived to ensure that we had all the necessary details before communicating with our members in order to provide the most accurate information 

Communication and Support 

    1. How can I get more information or support?

      A: If you have any further questions, please contact us via email at privacymanager@thetradies.com.au. 

    2. How can I cancel my membership and have my personal information removed?

      A: To cancel your membership and request the removal of your personal information, please contact us at privacymanager@thetradies.com.au. We will process your request and confirm once it is completed to the extent that we are not required to retain your information in compliance with our legislative licensing requirements.

       

    3. Why did I receive a text message about the breach?

      A: We used multiple communication methods to ensure all members were informed promptly. If you prefer email communication, please update your preferences by contacting us at privacymanager@thetradies.com.au. 

    4. Is the text message I received about the breach legitimate?

      A: Yes, the text message is legitimate. However, if you have concerns, please verify the information by visiting our official website or contacting us directly at privacymanager@thetradies.com.au. 

    5. Will I be notified if there are any updates regarding the incident?

      A: Yes, we will continue to keep our members informed of any significant updates related to this incident. 

Apology and Reassurance 

  1. What should I do if I feel stressed about this incident?

    A: We sincerely apologise for any stress or difficulties this incident may have caused. Please reach out to us if you have concerns, and we will do our best to assist you. 

  2. Will there be any compensation for the inconvenience caused?

    A: While your information is not at risk, we sincerely apologise for any inconvenience or difficulties caused. We greatly value and appreciate your understanding and support during this time. 

FAQs Regarding Requests for Compensation 

  1. Will the club cover any costs related to identity theft protection services?

    A: Based on information received from the impacted provider, only limited information was viewable on the offending website, and this did not include any identity information such as driver's license details or other sensitive information. It is also important to note that: the individual believed to be behind the incident is known and has been arrested and charged, with their assets seized; 

  • the background circumstances of the matter suggest the individual’s motivations were not to misuse any personal information; 

  • the website that initially allowed limited information to be viewed is no longer accessible 

  • The above matters support the view that your information is not at risk. 

    Noting the above, if you are aware of particular circumstances that you believe have caused you to suffer loss and damage as a result of this incident, could you please provide us with further details and documents in support? 

2. If my information is misused as a result of this incident, will the club compensate me?

A. Based on information received from the impacted provider, only limited information was viewable on the offending website, and this did not include any identity information such as driver's license details or other sensitive information. It is also important to note that

  • the individual believed to be behind the incident is known and has been arrested and charged, with their assets seized; 

  • the background circumstances of the matter suggest the individual’s motivations were not to misuse any personal information; 

  • the website that initially allowed limited information to be viewed is no longer accessible 

  • The above matters support the view that your information is not at risk. 

  • Noting the above, if you are aware of particular circumstances that you believe have caused you to suffer loss and damage as a result of this incident, could you please provide us with further details and documents in support? 

3. Can I receive compensation for the inconvenience this incident has caused?
A: We sincerely apologise for any inconvenience caused by this incident. 

  • We are taking significant steps to enhance our cybersecurity measures and ensure the protection of your information in the future. If you are aware of particular circumstances that you believe have caused you to suffer loss and damage as a result of this incident, could you please provide us with further details and documents in support? 

FAQs Regarding the Duration of the Investigation 

    1. Why did it take so long to complete the investigation?

      A: Investigating a cyber incident involves a thorough and meticulous process to ensure all aspects of the breach are understood and addressed. We commenced investigations as soon as we were informed of the incident on 29 April 2024. We needed time to thoroughly investigate the incident and to work closely with the impacted service provider and cybersecurity experts to gather accurate information and assess the situation fully. 

      Further to this, as the cyber incident occurred to the impacted service provider’s IT systems, we were also reliant on information and investigations undertaken by the impacted service provider. 

      We also note that there were criminal investigations and proceedings in respect of the cyber incident. 

      Nevertheless, we were committed to progressing the investigations as quickly and possible and we strived to ensure that we had all the necessary details before communicating with our members in order to provide the most accurate information as possible 

    2. Was the delay due to any issues within the club’s own IT systems?

      A: No, there were no breaches in our own IT security systems. The delay was primarily due to the complexities of investigating the incident with the former external service provider, ongoing criminal investigations, court proceedings, and ensuring all relevant information was accurately obtained. 

    3. Why couldn’t the club provide updates sooner?

      A: We aimed to provide accurate and comprehensive information to our members. We were conscious that premature updates could lead to misinformation or confusion. As such,we wanted to ensure that we had all the necessary details before communicating with our members. 

    4. What specific information was needed to complete the investigation?

      A: We needed detailed information on the nature of the breach, the potential data impacted, and the motivations of the individual responsible. This involved extensive data analysis, collaboration with cybersecurity experts, and regular discussions with the impacted service provider. 

    5. Will the club provide regular updates in case of future incidents?

      A: Yes, we are committed to transparency and will provide timely updates to our members in the event of any future incidents. Clear and accurate communication is a priority for us.