Political vultures were circling within hours of revelations that personal information relating to some 186,000 NSW residents had been exposed in an April data breach that saw some 3.8 million documents stolen by cyber criminals.
The breach of online government agency Service NSW was announced in May, but authorities have only now released details of the breach after a four-month investigation involving the NSW Police, auditor general, and cyber security experts that confirmed some 738 gigabytes of data had been stolen after 47 staff email accounts were compromised in a phishing attack.
Affected residents will be notified by registered mail.
Service NSW has “accelerated our cyber security plans and the modernisation of legacy business processes to keep customer information as safe as possible,” the agency said, outlining a notification process by which affected citizens will be given “important information about the specific individual data accessed during the breach”.
The agency’s success in consolidating state services – both in person and online – has made it the model for broader efforts such as the federal government’s Services Australia initiative, announced late last year, and state-based efforts in Victoria, South Australia, Western Australia, Tasmania, and the ACT.
Yet as states increasingly consolidate their service interfaces online, breaches such as the Service NSW compromise are also highlighting the inherent dangers of consolidating large swathes of information from across government agencies.
Service NSW, for example, is streamlining access to often sensitive information involved in 36 different state agencies – creating the potential for significant new exposure due to the interrelationship between those services and the data they utilise.
Just weeks ago, a misconfigured Amazon Web Services (AWS) cloud database was discovered to be providing public access to a cache of more than 54,000 scanned NSW driver licenses – which were, security experts said, seemingly published by a third party unrelated to a government agency.
That finding suggests that the data may have come from a third party authorised to request and store licenses as part of online checks that have become essential to regulate online purchases of goods such as alcohol.
Doubling down on cyber
With identity-related information commanding a premium on dark web sites, security experts have long warned about the criticality of strong security for online businesses – and, in particular, government agencies that have ramped up their digital service delivery in the wake of the COVID-19 pandemic.
This has spawned initiatives such as the government’s digital experience platform (GOVDXP), a $28.1m Deloitte-built service designed to expose services through a personalised, Netflix-styled portal.
Yet as data breaches bubble to the surface, the risks inherent in that strategy have become increasingly apparent – and political opponents of NSW Premier Gladys Berejiklian wasted no time putting in the boot.
Sophie Cotsis, NSW Shadow Minister for Better Public Services, called on Minister for Customer Service Victor Dominello to “explain and account for why they have failed to secure and protect sensitive information from cyber criminals”.
Public administrators already require agencies to monitor and report on compliance with cyber security best practices encapsulated in its NSW Government Cyber Security Policy, but ongoing audits have uncovered poor compliance across the government.
The NSW government – which overhauled its cybersecurity practices with last year’s appointment of Tony Chapman as chief cyber security officer – has moved quickly to bolster its cybersecurity capabilities in the wake of the Service NSW compromise.
In June, the government announced it would invest $240m bolstering the state’s cybersecurity defences, including a cyber vulnerability response centre in Bathurst that Minister for Customer Service Victor Dominello said would “deliver a vital, sector-wide risk management capability”.
Peak body Cyber Security NSW will, among other things, hire 75 new cybersecurity staff to improve support of small businesses and local governments, and partner with Australian startup UpGuard to improve monitoring and management of Internet-facing vulnerabilities.
A state government-backed taskforce is pushing for the creation of national cyber standards as the state prepares to release a 2020 Cyber Security Strategy (NSW CSS) – which, Dominello said in June, would be “delivered through an integrated approach to prevent and respond to cyber security threats and safeguard our information, assets, services, businesses, and citizens.”
