New South Wales parliamentary committee recommends overhaul of Government cyber security strategy..Another report

April 1, 2021 |

It has been an ordinary 12 months for New South Wales in the data protection world.  Services NSW suffered a massive data breach in April, which was first reported in May 2020, with 180,000 customer’s personal information exposed. The breach was affected through a phishing attack on 47 emails of Services NSW.  Being a secretive government department, as most Australian departments are, it resisted providing information about the breach, even resisting a Freedom of Information request in July. There is nothing much unusual about that.  Regrettable, but not unusual.

The public affected only started to be notified in September 2020 which is seriously odd.  Why wait 4 months? It is still to notify 18,500 customers affected by the breach, almost a year after the breach was detected.  It can be difficult to locate people particularly those who live a transient lifestyle or have mental health issues but 18,500 is still a large number of people and it has been almost a year.  That bespeaks a poor response plan and a lack of resources being put into the task.  The cost of this data breach is reportedly $30 million.

Meanwhile in March the hacking group Clop  put up stolen data taken from the NSW transport department on the dark web and offered it for sale.  That would be galling for the department.  It may have attacked the NSW system through the vulnerability in Accellion’s file transfer system which has resulted in attacks worldwide.

This lamentable state of affairs resulted in a NSW Parliamentary enquiry being established in August 2020 to inquire into Government’s Cybersecurity strategy.  On 26 March 2021 it produced a 94 page report.  Yes, another report. 

Innovation Aus reports on its in NSW readies state overhaul of cyber defences.    The report detected weak cyber defences and recommended more money being put into cyber security. 

It provides:

A NSW parliamentary inquiry has recommended an overhaul of the state government’s cybersecurity strategy and a review of its cyber policies in the wake of a serious data breach that resulted from cyber risks being ignored.

Nearly a year after a cyberattack on Service NSW that allowed hackers to access millions of internal documents, the incident is yet to be fully addressed.

Risky data practices have continued and thousands of NSW citizens whose data was involved were not notified. The breach is expected to cost the service agency at least $30 million.

The incident may have been prevented had the agency addressed the cyber risks it identified a year earlier, according to a NSW Upper House inquiry that has now called for structural changes.

Recommendations include strengthening the mandate and resourcing of Cybersecurity NSW, including moving the function from the Department of Customer Service to the Department of Premier and Cabinet.

Doing so would provide much needed independence from the state’s service providers, the inquiry found.

Of “urgent” importance is the establishment of a mandatory data breach notification scheme applicable to all NSW agencies and its contracted service providers, and a formal process for assisting people affected by a data breach, the committee said.

Currently neither measure exists in the state, an absence that contributed to enablement and poor handling of the Service NSW data breach that sparked the inquiry.

“The committee found that this attack was enabled by practices and systems within Service NSW that did not accord with best practice cyber security measures,” Committee Chair Tara Moriarty wrote in the report foreword.

“Compounding this incident, Service NSW was aware of the risks that led to the attack some 12 months earlier but had not acted sufficiently to address them.”

A targeted phishing attack on the service agency in March and April last year compromised data of more than 100,000 people when attackers gained access to Service NSW employee email accounts.

It took Service NSW three weeks to verify the incident and notify the minister. It took months more to notify users of Service NSW whose data had been exposed. And nearly a year after the incident, 20 per cent to 30 per cent of those affected had still not been notified.

A review of the incident by the NSW Auditor General in December found it was “unclear” why Service NSW had not effectively mitigated the risk prior to the breach.

Service NSW identified risks including a lack of multifactor authentication a year prior to the breach and had committed to addressing them in 2019 but failed to do so until after major incident in 2020.

“Service NSW is not effectively handling personal customer and business information to ensure its privacy,” the Auditor General concluded. “It continues to use business processes that pose a risk to the privacy of personal information.”

Service NSW chief executive Damon Rees told the parliamentary inquiry in February the agency has continued to use at least one high risk practice – sending personal information via email – as it worked on more secure alternative. But he insisted many of the risks have now been mitigated.

Other recommendations from the inquiry include a review of the “responsibility and resourcing” of the NSW privacy watchdog; more work from the government with industry to develop a cybersecurity skills framework; more clarity on cyber standards including mandatory ones for government agencies; investigating ways to improve the security of IoT devices; a strategy for improving the cyber safety of citizens; and more support to local councils to enhance their cyber capabilities.

The Committee also recommended the NSW government develop a strategy to enhance sovereign cyber security capability by building the local industry and establishing principles for procuring services onshore.


Leave a Reply