Did you receive two text messages from Baw Baw Shire on Wednesday afternoon?
Despite apparent confusion, it's not a scam - you are one of about 1250 people impacted by a cyber security incident.
Council confirmed people who made after-hour calls to Baw Baw Shire from June 2014 to January 2016 may be impacted by the breach.
People affected were told, "the information stolen and published is considered low risk."
"Our review confirms that your name and phone number have been identified in the information published online," a council letter accessed via a link advised. "Call notes relating to your conversation and the incident location you provided in relation to your call have also been leaked."
Baw Baw Shire governance and information services director Martin Hopley said SMS text messages were sent out on Wednesday afternoon to notify of the data breach involving after-hours service provider OracleCMS.
"They were only sent to phone numbers that were impacted by the data breach," Mr Hopley said. "Unfortunately, there was a formatting issue in the initial message which necessitated the (second text) follow up."
Council said elderly and vulnerable residents were contacted via a personal call.
The breach relates to the OracleCMS system only, council said, with its own systems and databases not accessed.
Despite the information being related to calls made eight to 10 years ago, Mr Hopley said the data was leaked only this year. He said council was made aware in April by the state government's Cyber Incident Response Centre.
He emphasised only data for the date range specified was breached.
"It's important to note that no current data was accessed, nor was any council system impacted," Mr Hopley said.
Asked why council outsourced after-hours calls to OracleCMS, Mr Hopley said engaging a third-party provider gave council "access to flexible and scalable support for our organisation outside of regular business hours". He said this was vital in cases of extreme weather or unplanned IT or telecommunication outages.
"Council received more than 1600 after-hours calls in the 2023 calendar year, and third-party call centre operators such as OracleCMS are purposely equipped and staffed for 24-hour operation and call taking," he said.
When affected residents shared the text messages online, there was confusion on whether it was real or a scam.
One woman, who received the two texts, asked why she hadn't been contacted directly for an explanation instead of seeing it on the Gazette's Facebook page.
"I deleted and reported (the texts) as they looked suspicious," she said. "No way Baw Baw Shire should expect anyone to click on a link."
One Gazette follower noted, "it is an absolutely appalling way for council to inform people."
Quentin Christensen said the message should have advised residents to go to council's website, "anything but an obfuscated URL."
"I didn't receive the texts but the poor sentence structure certainly makes it look like a scam," another follower Darryl Martin added. "Two proper sentences joined by a comma and three uses of 'please' would generally be a tip off that the text perhaps came from overseas."
Asked if council was confident the text messages would get the required information out to those affected, Mr Hopley said "we're encouraged to see residents being vigilant against scam attempts."
He welcomed contact from any concerned residents wishing to verify the message to contact Baw Baw Shire's customer service centre on 5624 2411.