A hacker attack that compromised the private information of hundreds of thousands of NSW residents did little to change the unsafe and outdated methods the government uses to handle sensitive data.
That conclusion was drawn by the NSW Auditor-General in a special report savaging the Service NSW agency’s data regimen and response to the March 2020 cyberattack.
“(Service NSW) continues to use business processes that pose a risk to the privacy of personal information,” Auditor-General Margaret Crawford wrote.
“These include routinely emailing personal customer information to client agencies, which is one of the processes that contributed to the March 2020 data breach.”
Hackers gained access to 47 email accounts that belonged to staffers at Service NSW by sending out so-called phishing emails, Ms Crawford wrote.
Phishing is when someone sends emails pretending to be from a legitimate source, tricking the victim into clicking suspicious links and handing over login details and other information.
In the Service NSW attack, hackers sent emails that looked like a Microsoft Office login page.
By gaining access to the 47 staff accounts, the attackers gained access to some five million documents. Around 500,000 of those were likely to contain personal data.
Hackers also used an employee’s email account to send out emails to 2725 users of the government service.
Shortly after the scale of the hack became clear, Customer Service Minister Victor Dominello, who is responsible for Service NSW, asked Ms Crawford to look into the agency’s handling of personal information.
The Auditor-General’s probe found that some unsafe Service NSW practices, such as requiring staff to scan and email personal information to other agencies it collaborates with, were still ongoing today.
The agency also did not put in place a multi-factor authentication system for email logins until after the attack.
That‘s despite an internal warning last year that said the agency needed to do so by June 2019.
Multi-factor authentication means a staffer has to verify their login using another device, for example a phone number, a security measure that makes phishing attempts harder.
Service NSW’s rapid expansion since it was created in 2013 contributed to its failure to safekeep data, staff who were interviewed by the Auditor-General said.
The agency has ballooned from a skeleton crew of 24 staffers in 2013 to 3981 today.
The number of client agencies it works with expanded from three to 36, and the number of service centres it runs went from one to 109 in just seven years.
“A number of interviewees raised the pace and scale of this growth as posing risks for how effectively Service NSW continues to ensure customer’s personal information privacy,” Ms Crawford wrote.
Those risks were identified internally in 2019 and were exacerbated by the dual crises of the bushfires and the coronavirus pandemic.
The Auditor-General recommended several changes to the way the agency handled data.
Ms Crawford urged Service NSW to find safer ways of storing and transferring information.
Service NSW chief executive officer Damon Rees said the agency accepted all recommendations.
He also submitted a list of changes already made, including implementing multi-factor authentication and automatic archiving of emails containing personal data.
Mr Dominello apologised to those affected by the leak and said he welcomed the report.
“My agency has committed to implementing all of the Auditor-General’s recommendations and has already implemented a number of critical security measures such as multi-factor authentication on staff email accounts,” Mr Dominello said.
“Legacy systems – like those targeted in this attack which contained photocopied paper attachments – must be systematically removed and replaced with secure end-to-end digital systems.
“I sincerely apologise to those affected.”