Victoria’s United Firefighters Union says its members, who have waited more than 18 months for answers regarding a December 2022 cyber attack on Fire Rescue Victoria (FRV), have been left fuming after the organisation booked a spot at an AUD2000-a-head for-profit conference on Thursday to reveal the inner workings of its response.
The union says the 2022 attack has had long-lasting impacts on operational firefighting in FRV. It has forced firefighters and support staff to use manual workarounds for rostering, firefighting and turnout/response, with no resolution in sight. The FIRECOM system, which provides critical live information to firefighters, was offline for the better part of 12 months, and FRV’s rostering system has yet to be restored.
A notice published by Fire Rescue Victoria on January 6, 2023, said the organisation had “reasonable grounds to believe that information may have been accessed or stolen by a malicious third party”. The notice said that the organisation assumed attackers had “accessed or stolen” personal information about current and former FRV employees, contractors and secondees, as well as job applicants.
Reportedly, stolen data included identification and contact information, medical records, passport and driver’s license details, Medicare numbers, Centrelink numbers and healthcare identifiers. The initial FRV web post about the notifiable data breach is now offline.
In July 2024, firefighters, through the United Firefighters Union, requested a Zoom meeting to update firefighters and staff on the attack and the organisation’s response. Fire Rescue Victoria agreed to this request but failed to action it.
United Firefighters Union Secretary Peter Marshall has criticised the organisation’s decision to prioritise conference attendees over firefighters and operational staff.
The AFAC 2024 conference is now on in Sydney. Its program features Fire Rescue Victoria chief information officer Chris Moon presenting “Responding to a cyber attack in emergency services: The first 48 hours.”
“Firefighters and FRV employees have been waiting for more than a year and a half for basic answers on this attack,” said Marshall. “They have a right to know what happened, who is responsible, whose information was exposed, where it has gone, exactly how systems were affected, when they will be fixed, and how this was allowed to happen in the first place.”
“They made a very reasonable request in July this year, more than 18 months after the attack, for a Zoom meeting with senior leadership to get some information,” he added. “It is unacceptable that there has been no action on this request. It is beyond unacceptable that the C-level executive in charge of information security has chosen to deliver the inside story of this cyberattack to a paying audience rather than sharing information with the people who were affected by it.”
