The ACT is having an annus horribilis on cyber security

December 2, 2019 |

The Australian National University announced earlier this year that it had been the victim of a cyber attack, for the second time in a year. Now there is an announcement that in 2018 there were two successful cyber attacks. The first breach involved the access to the ACT Government Directory on 23 November by a brute force attack.

A brute force attack is not commonly effective where a user has a half way decent password. It is even more effective where the user name is not obvious. Hence the increasing requirement for passwords to have at least one capital letter, at least one numeral, a symbol or sign and at least 8 or 9 characters long.

The second attack, in June 2018, involved hackers accessing through a third party surveys used for schools booking into programs at the Canberra Museum and ACT Historic sites. The personal information included teacher names, email addresses and phone numbers.

The story highlights the embarrassment factor and reputational damage that attends a data breach. The personal information gleaned from a government directory is not particularly sensitive, essentially phone numbers and contact addresses within the ACT Government system. When I worked in Canberra it was not too difficult to locate a paper version of the Government directory. It is still hugely embarrassing.

The data from the surveys is more worrying but fortunately did not involve childrens’ personal information.

What is concerning is how lax the ACT Government is with its cyber security. Breaches through third parties is a well known way hackers access data.

The article provides:

ACT Government hacks expose lack of ‘basic cyber hygiene’ in territory’s online security: expert

Two hacking attacks on the ACT Government, one involving the personal details of government employees, show a “lack of awareness”, a security expert has warned, saying smaller governments are a potential target for criminals.

Key points:

ACT Government cyber attack saw thousands of public servants’ contact details stolen

Experts say smaller governments like the ACT’s may be vulnerable to hacking

The Government’s chief digital officer says the ACT handles sensitive public information responsibly

ACT Government data was accessed by outside actors twice in less than six months during 2018.

In one incident, hackers accessed the ACT Government Directory, containing corporate contact information for thousands of public servants.

Some contact cards included personal details, like mobile phone numbers.

The ACT Government has since introduced two-step authentication across its networks in response, a step some experts suggest should have been taken some time ago.

The attacks left Nigel Phair, the head of UNSW Canberra’s cyber unit, questioning the digital security of smaller governments like the ACT’s.

“I don’t think there’s any awareness at all,” he said.

“I think if you ask the average person at those organisations, they’d say ‘we’re not a bank, why would anyone want to hack us?'”.

‘Brute force’ gets hackers access

On November 23 last year, a hacker used a fairly rudimentary “brute force” attack to access an ordinary user account within the ACT Government network.

The method involves a piece of software randomly generating possible passwords to try against various accounts, until one successfully guesses the correct combination.

Once the account was accessed, the hacker used it to download a copy of the ACT Government Directory, containing the work address, email addresses, desk phone numbers, and in some cases mobile phone numbers of ACT Government employees.

All employees were informed about the attack, and those with more sensitive personal information held in the directory were contacted individually.

The ACT Government was alerted to the attack by specialists at the Australian Cyber Security Centre.

The Government’s chief digital officer, Bettina Konti, said the breaches were undoubtedly worrying.

“On the one hand, a lot of that information would be available in public directories, particularly for senior officials in governance,” she said.

“But on the other hand, it’s still concerning.

“We still need to do everything that we can to make sure that we mitigate the risk of that happening again.”

The attacker only accessed a standard user account, and did not access any privileged data regarding ACT residents.

In response, the Government rolled out greater use of two-factor authentication — a common system used by banks to verify a person’s identity — before making significant transactions.

Systems often involve a text message containing a unique password being sent to a person’s phone, which must be entered on top of an ordinary password.

Mr Phair said that was the very least organisations like the ACT Government should be doing.

“It’s pleasing that they’ve done something after the fact,” he said.

“But this is basic cyber hygiene and something they really should have had in place before.”

Third-party system breached

In an earlier incident discovered in June last year, hackers accessed surveys used for schools booking into programs at the Canberra Museum and Gallery and ACT Historic Places.

The surveys were run by a third party operator called Typeform, which reported the breach three days later.

The breach saw personal information taken, including school names, teacher names, email addresses and phone numbers.

All individuals and organisations were notified of the breach, and Typeform took steps to address the issue.

Ms Konti said the Government was conscious of the responsibility that came with handling sensitive data.

“As a government … we’re highly aware that the community holds us to a much higher bar of security integrity than they do other organizations,” she said.

“And in the ACT, we have a team of cyber-security professionals working around the clock to ensure that all of our controls are in place and we’re monitoring for those kinds of things.”

But Ms Konti said in an increasingly digital environment, the risks could not be avoided entirely.

“No organisation is invulnerable to cyber attacks,” she said.

“It’s not possible to mitigate completely the risk of a cyber attack in any organization.

“In the same way that it’s not possible to completely eliminate serious crime in our community.”

Leave a Reply