In September 2020, Service NSW confirmed that a number of their customers and staff had fallen victim to a cyber-attack earlier this year. The personal data of 186,000 individuals was leaked, as a result of phishing attacks on 47 employees.
In April of this year, Service NSW was attacked by a cyber actor, resulting in a confidential data leak that totalled a staggering 738 gigabytes of data. The data was not entirely personal data, but may have consisted of victim’s birth certificates, payment card details, medical records, financial information and legal information.
Malicious cyber actors gained access to the sensitive information by subjecting employees to phishing attacks. The actors sent emails with links to websites that appeared legitimate, and prompted users to log in with their credentials. These fraudulent websites would capture the employees’ credentials, which were then used by the actors to gain unauthorised access to email accounts.
It was revealed by the recent investigation that Service NSW had shortly begun using Microsoft’s Office 365 email and software suite, but had not yet implemented the simple security measures that would have greatly reduced the likelihood of such an attack from occurring, such as multi-factor authentication. Multi-factor authentication (MFA) is a simple security technology that requires users to input a code that is usually sent to their mobile phone to log into accounts. This requires anyone attempting to gain access to require not just a password, but also access to their mobile phone.
The head of Cyber Security NSW, Tony Chapman, told media outlet Guardian Australia that MFA could have prevented as much as 61% of cyber-attacks occurring in NSW government agencies last year. Multi-factor authentication is a simple, but extremely effective security measure that is becoming increasingly popular in modern software platforms today.
It was also found that there were issues with staff using ineffective passwords that were the same between personal and work accounts. To make things worse, staff were also sharing a staggering number of confidential documents over email, which were then compromised in the attack.
These findings tell us that cybersecurity has not been made a priority when rolling out new software within government agencies. This is also true of the private sector. Security should be a top priority for all software rollouts that occur within an organisation, and should not be forgotten or pushed aside to implement at a later date. If strong security measures are implemented at rollout, it can encourage a greater security culture within the organisation. The Service NSW attack was a result of employee manipulation, which can be directly associated with a lack of effective cybersecurity education. An organisation’s cybersecurity is only as strong as its workforce.
Australian organisations are at a greater risk of cyber-attack than ever before, and these attacks are capable of causing more damage. It is absolutely critical that the necessary precautions are put into place as soon as possible. Organisations should ensure that they never become complacent and operate under the assumption that they will never be targeted.
If you find that your organisation requires assistance with either implementing strong security measures, or providing effective cybersecurity education within your organisation, Agilient is equipped to help. Our expert consultants and trainers can custom-tailor security solutions and training that will equip your organisation with the skills and techniques that it needs to prevent today’s most problematic cyber-attacks.
If you’d like to learn more, contact Agilient today.
Author: Jack Schofield, Agilient Consultant