Cybersecurity vulnerability revealed after NSW Government agency’s 49-day hack

By Cameron Abbott and Harry Crawford

The NSW Government’s vulnerability to hacking has been exposed in a report by state’s auditor-general, in which it was revealed that one government agency took 49 days to shut down a hack.

This hack started with an email account of the unnamed agency being compromised and used to send out “phishing” emails to get the credentials of finance staff members. By day 20, 300 staff had clicked on the bogus link in the phishing email. 200 email accounts ended up being under the control of the hackers.

Shockingly, the password to the originally-compromised email account was only checked 42 days after the initial breach when it was found that it hadn’t yet been changed. The agency’s payments gateway (used for business invoices, staff salaries and superannuation) was offline for nearly 3 weeks while the hack was addressed.

One of the key findings in the report was that most IT service providers to NSW public sector agencies are, surprisingly, not contractually obliged to report incidents to agencies. Only two of ten surveyed agencies had contractual arrangements which obliged providers to report incidents in a timely manner.

This is vital for all public and private sector organisations. By including clauses in contracts requiring IT service providers to report all cyber security incidents within a reasonable timeframe, organisations not only pass on legal risk to their suppliers, but also ensure they are notified of all incidents for their own regulatory compliance. This is essential, for example, in order to comply with new mandatory data breach notification requirements which we recently blogged about.

Whether public service or private companies, there are now requirements to notify of serious data breaches, never mind the wisdom in knowing about it and ensuring mitigations are put in place to prevent further damage!  Time to check your key supplier relationships we suggest.