IT threat response for tourism organisations
Information technology (IT) threats can include cyber-attacks, data breaches or hacking as well as IT failures impacting tourism operators or visitors.
Lead agencies
- Regional tourism organisation (RTO)
- Local tourism organisation (LTO)
- Australian Cyber Security Centre – cyber-crime
- Office of the Australian Information Commissioner – notifiable data breaches
- eSafety Commissioner – cyberbullying, image-based abuse or illegal/harmful content
- Australian Federal Police (AFP)
- Department of Tourism and Sport (DTS)
Key steps to take
- Verify and check incident facts – what, where, when, who and how impacted.
- Contain and assess the threat checking for unauthorised activity, bank withdrawals and access to customer information.
- Advise staff not to share or click on links in suspect emails, shut down breached system, notify your bank and suspend affected accounts, change computer access privileges and passwords.
- Seek expert IT or cyber security assistance.
- Cyber-crime (e.g. fraud, online image abuse, identity theft or threats and intimidation) must be reported using ReportCyber, so it can be referred to the right law enforcement agency to investigate.
- Notifiable data breaches must be reported using the Notifiable Data Breach form or by phone on 1300 363 992. (You have a legal requirement to report unauthorised access of personal information held by your business if it could result in serious harm).
- Cyberbullying, image-based abuse or illegal and harmful content can be reported online to the eSafety Commissioner.
- If ‘serious harm’ has occurred you must notify those impacted, tell them how to protect themselves and actions you’ve taken to fix it – see suggested communications in key messages below.
- If law enforcement is investigating a data breach check with them before making fraudulent activity public.
- If likely to be a high-profile media story brief TEQ and QTIC.
- Liaise with tourism operator involved to determine who will respond to media – provide advice re media messaging/interviews.
- Advise tourism operator involved to document all actions in logbook/form regarding incident to assist any potential investigation.
- Monitor any media, social media and respond accordingly where necessary.
- Fully investigate the data breach.
- Review and update IT security systems and policies.
- Monitor systems for any ongoing suspicious activity.
- Keep customers updated about measures taken to prevent future incidents occurring.
Messaging to use for IT threats
- We are contacting you to let you know a data breach has affected your personal data. On (date), we detected a breach of our organisation’s IT security. As a result, some of your information has been accessed (provide type of data if possible – e.g. contact details).
- We’ve launched a full investigation to resolve the issue and we’re working closely with authorities (the Australian Cyber Security Centre, the Australian Federal Policy and/or the Australian Information Commissioner).
- We’re taking the following steps to protect you by:
- engaging an external cyber security agency to ensure we’ve taken all possible measures to minimise the impact of this security breach and reduce the risk of it happening again
- continuing to monitor for suspicious activity and coordinating with relevant authorities and agencies
- continuing to improve our systems to detect and prevent unauthorised access to user information.
- We take our obligations to safeguard your personal data very seriously. We recommend you consider taking the following steps to protect any further access to your (personal information or account details) as further safeguards:
- update your password – use at least 12 characters including numbers, symbols, capital letters and lower-case letters (avoid using date of birth or names)
- review and update your contact methods for resetting passwords
- review your account transactions and let us know if you notice anything suspicious
- don’t open attachments or click on links from unknown sources
- ignore unsolicited communications that ask for your personal data or refer you to a web page asking for personal data
- also report anything out of the ordinary to (provide details).
- We sincerely apologise for any inconvenience this breach may have caused. If you have any questions or concerns, please don’t hesitate to contact us via (email and/or phone).
- We’ll keep you informed if there is any further information about this breach.
- Our (telephone/online services/website) have been disrupted today due to unexpected technical issues.
- Our team is working to resolve the issue as soon as possible. We’ll provide updates as soon as more information is available.
- We apologise for any inconvenience this may have caused. If you urgently need to contact us, please (phone/email/message or visit us at XXXX).
Tourism crisis communication toolkit
Download the Tourism crisis communication toolkit for regional tourism organisations (PDF, 8MB).
This toolkit has been jointly funded by the Australian and Queensland governments under the Disaster Recovery Funding Arrangements (DRFA) for regional tourism organisations.