Two hacking attacks on the ACT Government, one involving the personal details of government employees, show a “lack of awareness”, a security expert has warned, saying smaller governments are a potential target for criminals.
- ACT Government cyber attack saw thousands of public servants’ contact details stolen
- Experts say smaller governments like the ACT’s may be vulnerable to hacking
- The Government’s chief digital officer says the ACT handles sensitive public information responsibly
ACT Government data was accessed by outside actors twice in less than six months during 2018.
In one incident, hackers accessed the ACT Government Directory, containing corporate contact information for thousands of public servants.
Some contact cards included personal details, like mobile phone numbers.
The ACT Government has since introduced two-step authentication across its networks in response, a step some experts suggest should have been taken some time ago.
The attacks left Nigel Phair, the head of UNSW Canberra’s cyber unit, questioning the digital security of smaller governments like the ACT’s.
“I don’t think there’s any awareness at all,” he said.
“I think if you ask the average person at those organisations, they’d say ‘we’re not a bank, why would anyone want to hack us?'”.
‘Blunt force’ gets hackers access
On November 23 last year, a hacker used a fairly rudimentary “blunt force” attack to access an ordinary user account within the ACT Government network.
The method involves a piece of software randomly generating possible passwords to try against various accounts, until one successfully guesses the correct combination.
Once the account was accessed, the hacker used it to download a copy of the ACT Government Directory, containing the work address, email addresses, desk phone numbers, and in some cases mobile phone numbers of ACT Government employees.
All employees were informed about the attack, and those with more sensitive personal information held in the directory were contacted individually.
The ACT Government was alerted to the attack by specialists at the Australian Cyber Security Centre.
The Government’s chief digital officer, Bettina Konti, said the breaches were undoubtedly worrying.
“On the one hand, a lot of that information would be available in public directories, particularly for senior officials in governance,” she said.
“But on the other hand, it’s still concerning.
“We still need to do everything that we can to make sure that we mitigate the risk of that happening again.”
The attacker only accessed a standard user account, and did not access any privileged data regarding ACT residents.
In response, the Government rolled out greater use of two-factor authentication — a common system used by banks to verify a person’s identity — before making significant transactions.
Systems often involve a text message containing a unique password being sent to a person’s phone, which must be entered on top of an ordinary password.
Mr Phair said that was the very least organisations like the ACT Government should be doing.
“It’s pleasing that they’ve done something after the fact,” he said.
“But this is basic cyber hygiene and something they really should have had in place before.”
Third-party system breached
In an earlier incident discovered in June last year, hackers accessed surveys used for schools booking into programs at the Canberra Museum and Gallery and ACT Historic Places.
The surveys were run by a third party operator called Typeform, which reported the breach three days later.
The breach saw personal information taken, including school names, teacher names, email addresses and phone numbers.
All individuals and organisations were notified of the breach, and Typeform took steps to address the issue.
Ms Konti said the Government was conscious of the responsibility that came with handling sensitive data.
“As a government … we’re highly aware that the community holds us to a much higher bar of security integrity than they do other organizations,” she said.
“And in the ACT, we have a team of cyber-security professionals working around the clock to ensure that all of our controls are in place and we’re monitoring for those kinds of things.”
But Ms Konti said in an increasingly digital environment, the risks could not be avoided entirely.
“No organisation is invulnerable to cyber attacks,” she said.
“It’s not possible to mitigate completely the risk of a cyber attack in any organization.
“In the same way that it’s not possible to completely eliminate serious crime in our community.”