West Australian agencies fall short on data protection
November 6, 2015 |
It is trite to say that Government agencies collect huge amounts of personal data. Often that data is compelled. Taxation information falls into that category. Accordingly it is critical that government agencies properly protect that data and have proper systems to avoid fraud through identity theft. The Fairfax press highlights the latter problem in Cyber thieves target tax time, Identity fraudsters attack Tax Office at least 11,000 times in one year and Sydney nurse demands answers after twice being victim of tax refund fraud. The problem appears to be systemic but the real twist is which system. Personal information stolen from a private organisation and then used to attempt to draud the Commonwealth is not a data security problem of the ATO. It is however a fraud prevention issue for the ATO. At that point the individual whose personal information is being misused is caught in the middle.
In some of the states privacy structures are fairly rudimentary. There is no proper privacy legislation and regulator in South Australia and West Australia for example. The West Australian auditor has highlighted in a report (found here) the woeful state of privacy protection in WA, as reported in WA agencies failing to secure sensitive data . and WA auditors guess govt database passwords on first attempt. The report makes clear that the security systems in place were wholly deficient, ranging from weak password controls to a failure to encrypt sensitive data. State government bodies hold a huge amount of personal information. They are the primary delivery providers for education, health and transport in Australia. Names, dates of birth, addresses and health conditions are commonly held types of personal information.
The WA Agencies article provides:
Western Australian government agencies are not adequately protecting sensitive information from attackers to prevent unauthorised access and data loss, according to Western Australian Auditor General Colin Murphy.
In his latest two-part audit report into the Western Australia government’s information systems [PDF], Murphy looked at how seven government agencies — Murdoch University, Legal Aid, Department of Health, Curtin University, Department of Local Government and Communities (DLGC), Drug and Alcohol Office, and Department of the Attorney General — were managing the security of their databases.
He said 115 weaknesses were identified in all seven key areas that were examined. These seven areas included attack surface, account security, system hardening, patching, data protection, auditing and monitoring, and backdoors and misconfiguration.
The first four areas — attack surface, account security, system hardening, and version/patching — represented the greatest risk to databases and the information they contain, and yet the audit found these four areas made up 64 percent of the total findings, with 47 percent rated extreme or high.
Murphy highlighted several agencies did not have firewalls segregating databases and servers from the rest of the network or other agency networks, increasing the risk of compromising services running on the database or server itself.
Additionally, none of the 13 systems were encrypting sensitive data stored within their databases or on backups stored on tapes and off-site, the report said.
Murphy said the results of the audit were concerning, in particular because the weaknesses were in some easy-to-fix areas such as passwords, patching, and setting of user privileges. At the same time, the audit found there were copies of sensitive information across systems and poorly configured databases.
The second part of the report looked at key applications agencies rely on to deliver services to the general public, and whether there were any failings or weakness in these applications. The four agency applications that were reviewed for the audit included the Department of the Attorney General’s integrated court management system; Legal Aid Commission Western Australia’s LAW Office; the Department of Local Government and Communities’ WA seniors card management system; and Drug and Alcohol Office of WA’s services information management system 2.
Murphy said while the findings indicated all four applications were performing well, there were some weaknesses around data validation, manual processing, and information security.
“Particular areas of concern were around data access and logging, software patching and updates, and general security practices in agency IT environments,’ he said.
“These weaknesses increase the risk to the confidentiality, integrity and availability of sensitive information that is entrusted to agencies.
“All the agencies we audit understand the criticality of their IT systems to their operations; however, too many underestimate the risks that exist to those systems.”
[…] West Australian agencies fall short on data protection […]