6 September 2018
This is a message to individuals who may have been a guest or customer of, or made an enquiry to, one of our holiday parks prior to 23 March 2018. If you think this applies to you, please read this message carefully.
What happened?
Earlier this year, we unfortunately fell victim to a cyber incident where an unknown third party obtained login details to and accessed an email account we use to communicate with our guests and customers.
This email account contained some limited contact details (name, phone, email and/or address) of individuals who may have been a guest or customer, attended an event or function, or made an online booking or enquiry to an NRMA Parks and Resorts operated holiday park prior to 23 March 2018.
It is vital to point out that no other guest or customer information, including financial, credit card, bank details, passport or driving licences, usernames, passwords, login details, tax file numbers, date of birth etc. were affected.
What did we do?
Upon discovering this unauthorised activity, we took immediate steps to re-secure the accessed email accounts and obtained expert external advice and assistance to ensure our other email accounts and our wider IT network was secure. Following investigations alongside our IT and cyber security specialists, we have been able to confirm that the likely purpose of the activity was to attempt to conduct company invoice payment fraud. None of these attempts were successful.
We also notified the Australian Cybercrime Online Reporting Network (ACORN), as well as the Office of the Australian Information Commissioner (OAIC).
How do you know if you are potentially affected?
The email account accessed contained the contact details of some of our guests and customers (combinations of name, gender, email, postal address and telephone number only). While it does not appear that the purpose of the unauthorised third party activity was to gain access to our guest or customer data, we have been unable to rule out the possibility that the contents of the email account were downloaded by the unauthorised third party.
Importantly, no other guest or customer information, including financial or credit card details, were accessed by the unauthorised third party.
Given that the email account contained the contact details of some of our guests and customers, where contact details were available, we have taken steps to notify affected individuals on a precautionary basis via email, SMS or post.
Where can you find further information?
This webpage has been set up to provide further information in relation to the incident and for those who have not received a direct notification. The FAQ section below contains further information including:
- further steps you can take to protect your contact information; and
- the steps taken by NRMA Parks and Resorts since the incident.
NRMA Parks and Resorts also has a dedicated Privacy Officer who is available to answer your questions. If you have any further queries following your review of the FAQ section, please email us at [email protected].
We regret that this incident occurred and we want to reassure you that we take your privacy and the security of our guests and customers data seriously.