A NSW parliamentary inquiry has recommended an overhaul of the state government’s cybersecurity strategy and a review of its cyber policies in the wake of a serious data breach that resulted from cyber risks being ignored.
Nearly a year after a cyberattack on Service NSW that allowed hackers to access millions of internal documents, the incident is yet to be fully addressed.
Risky data practices have continued and thousands of NSW citizens whose data was involved were not notified. The breach is expected to cost the service agency at least $30 million.
The incident may have been prevented had the agency addressed the cyber risks it identified a year earlier, according to a NSW Upper House inquiry that has now called for structural changes.
Recommendations include strengthening the mandate and resourcing of Cybersecurity NSW, including moving the function from the Department of Customer Service to the Department of Premier and Cabinet.
Doing so would provide much needed independence from the state’s service providers, the inquiry found.
Of “urgent” importance is the establishment of a mandatory data breach notification scheme applicable to all NSW agencies and its contracted service providers, and a formal process for assisting people affected by a data breach, the committee said.
Currently neither measure exists in the state, an absence that contributed to enablement and poor handling of the Service NSW data breach that sparked the inquiry.
“The committee found that this attack was enabled by practices and systems within Service NSW that did not accord with best practice cyber security measures,” Committee Chair Tara Moriarty wrote in the report foreword.
“Compounding this incident, Service NSW was aware of the risks that led to the attack some 12 months earlier but had not acted sufficiently to address them.”
A targeted phishing attack on the service agency in March and April last year compromised data of more than 100,000 people when attackers gained access to Service NSW employee email accounts.
It took Service NSW three weeks to verify the incident and notify the minister. It took months more to notify users of Service NSW whose data had been exposed. And nearly a year after the incident, 20 per cent to 30 per cent of those affected had still not been notified.
A review of the incident by the NSW Auditor General in December found it was “unclear” why Service NSW had not effectively mitigated the risk prior to the breach.
Service NSW identified risks including a lack of multifactor authentication a year prior to the breach and had committed to addressing them in 2019 but failed to do so until after major incident in 2020.
“Service NSW is not effectively handling personal customer and business information to ensure its privacy,” the Auditor General concluded. “It continues to use business processes that pose a risk to the privacy of personal information.”
Service NSW chief executive Damon Rees told the parliamentary inquiry in February the agency has continued to use at least one high risk practice – sending personal information via email – as it worked on more secure alternative. But he insisted many of the risks have now been mitigated.
Other recommendations from the inquiry include a review of the “responsibility and resourcing” of the NSW privacy watchdog; more work from the government with industry to develop a cybersecurity skills framework; more clarity on cyber standards including mandatory ones for government agencies; investigating ways to improve the security of IoT devices; a strategy for improving the cyber safety of citizens; and more support to local councils to enhance their cyber capabilities.
The Committee also recommended the NSW government develop a strategy to enhance sovereign cyber security capability by building the local industry and establishing principles for procuring services onshore.