6 September 2018
This is a message to individuals who may have been a guest or customer of, or made an enquiry to, one of our holiday parks prior to 23 March 2018. If you think this applies to you, please read this message carefully.
Earlier this year, we unfortunately fell victim to a cyber incident where an unknown third party obtained login details to and accessed an email account we use to communicate with our guests and customers.
This email account contained some limited contact details (name, phone, email and/or address) of individuals who may have been a guest or customer, attended an event or function, or made an online booking or enquiry to an NRMA Parks and Resorts operated holiday park prior to 23 March 2018.
It is vital to point out that no other guest or customer information, including financial, credit card, bank details, passport or driving licences, usernames, passwords, login details, tax file numbers, date of birth etc. were affected.
What did we do?
Upon discovering this unauthorised activity, we took immediate steps to re-secure the accessed email accounts and obtained expert external advice and assistance to ensure our other email accounts and our wider IT network was secure. Following investigations alongside our IT and cyber security specialists, we have been able to confirm that the likely purpose of the activity was to attempt to conduct company invoice payment fraud. None of these attempts were successful.
We also notified the Australian Cybercrime Online Reporting Network (ACORN), as well as the Office of the Australian Information Commissioner (OAIC).
How do you know if you are potentially affected?
The email account accessed contained the contact details of some of our guests and customers (combinations of name, gender, email, postal address and telephone number only). While it does not appear that the purpose of the unauthorised third party activity was to gain access to our guest or customer data, we have been unable to rule out the possibility that the contents of the email account were downloaded by the unauthorised third party.
Importantly, no other guest or customer information, including financial or credit card details, were accessed by the unauthorised third party.
Given that the email account contained the contact details of some of our guests and customers, where contact details were available, we have taken steps to notify affected individuals on a precautionary basis via email, SMS or post.
Where can you find further information?
This webpage has been set up to provide further information in relation to the incident and for those who have not received a direct notification. The FAQ section below contains further information including:
- further steps you can take to protect your contact information; and
- the steps taken by NRMA Parks and Resorts since the incident.
NRMA Parks and Resorts also has a dedicated Privacy Officer who is available to answer your questions. If you have any further queries following your review of the FAQ section, please email us at firstname.lastname@example.org.
We regret that this incident occurred and we want to reassure you that we take your privacy and the security of our guests and customers data seriously.
Frequently asked questions
Where we could, we have reached out directly to potentially affected individuals to inform them of this incident and how it relates to them. Please be on the lookout for an email (check your junk/spam folder), SMS directing you to our website, or a letter from us. We have contacted you at your current or last known email/mailing address or mobile number.
Although we have done our best to notify everyone directly where we can, we confirm that you may be affected by this incident if you have been, prior to 23 March 2018:
- a guest or customer of an NRMA Parks and Resorts managed holiday park – this includes those who made an online booking or inquiry and those who purchased gift cards; or
- an events/functions customer of an NRMA Parks and Resorts managed holiday park – this includes those who made an online booking or inquiry; or
- a guest or customer of a former NRMA Parks and Resorts managed holiday park.
In all cases, an NRMA Parks and Resorts managed holiday park is either an Escape2 Holiday Park, or in some cases NRMA Holiday Park. No other NRMA Parks and Resorts managed park was affected.
While it does not appear that the purpose of the unauthorised third party activity was to gain access to our guest or customer data, we have been unable to rule out that the contents of the email inbox were downloaded by the third party.
Given that the email inbox contains the contact details of some of our guests and customers, we are taking steps to notify potentially affected individuals as a precaution.
Once we became aware of this incident, we immediately investigated its potential impact. Our number one focus has been to clearly identify who has been (and rule out who has not been) potentially affected and also identify precisely what information was contained in the relevant email inbox.
We have informed those potentially affected by this incident as soon as we practicably could taking this into consideration.
The information that may have been accessed depends on what information you provided to NRMA Parks and Resorts, and varies from person to person. However, the type of information could include (if provided), your name, gender, address, email address and telephone number.
No other guest or customer information including financial, credit card, bank details, passport, driving licences usernames or logins were affected.
This notification does not require you to take any specific action other than the reminder we provide below about being vigilant to attempted scams.
This notification is published as a precautionary measure, as the email inbox had access to limited customer information and with the assistance of IT and Cyber Security experts, NRMA Parks and Resorts has been unable to rule out the possibility that any of the contact information contained within the email inbox has been misused.
The below outlines steps that individuals affected by this incident can take to best ensure ongoing security of their contact information:
- Remain vigilant to telephone call, SMS and email phishing scams, and only respond to legitimate communications. More information about phishing scams is available on the ACCC’s website.
- Remain vigilant to unauthorised requests to port your mobile telephone number to another provider. More information about this type of scam is available on the ACCAN’s website.
- Ensure you have up to date anti-virus programs installed on your devices.
You can find additional guidance about steps you can take to protect your personal information by visiting the Office of the Australian Information Commissioner’s website.
In addition to having taken steps to re-secure its systems, NRMA Parks and Resorts has worked with IT and Cyber Security experts to conduct a comprehensive review of its systems and processes and implemented additional layers of security.
Yes. NRMA Parks and Resorts has contacted the Office of the Australian Information Commissioner about this incident and will be working cooperatively with that office. You can visit the Office of the Australian Information Commissioner’s website for more information.
We understand that individuals potentially affected by this incident may have further questions. We have established this dedicated FAQ webpage and will be updating it if, and when, any new information becomes available.
We have also established a dedicated email mailbox email@example.com if you have any specific questions. In the event you urgently need to contact us, you can call 07 5607 1405.
In these particular circumstances an unknown third party gained access to the email account and sent false instructions in an attempt to fraudulently transfer company funds.
Through our verification process, we were able to quickly identify that the instruction was illegitimate. We confirm that no payments were made.
We have prepared a glossary of some of the terms mentioned above just to help clarify their meaning a little better.
- Phishing – Phishing scams are attempts by scammers to trick you into giving out personal information.
- Porting – The process of changing your mobile telephone number from one service provider to another.