ASD confirms data stolen in Parliament IT breach

Australian Signals Directorate chief Mike Burgess has confirmed data was stolen by a state-sponsored actor during February’s malicious attack against Parliament House.

In what appears to be the first public admission of the data exfiltration, Burgess told senate estimates last week that a limited amount of non-confidential data had made its way into the hands of attackers.

It was revealed during the agency’s damage assessment of the security breach, which has now been wrapped up and handed to government for consideration.

“There was a small amount of data taken; none of that was deemed sensitive, but the assessment of that is a matter for the parliament themselves,” Burgess said.

At the time of the compromise, Parliament's presiding officers had said there was no evidence data had been accessed or taken.

However, while the damage assessment been completed, Burgess said the agency was still working to determine which “sophisticated state actor” had been involved.

“Our investigation is still ongoing. We have our suspicions,” he said.

Burgess also said any attribution such as calling out the state actor would likely be some time off.

“Attribution is a really difficult thing, so tying it down to a particular country, a particular organisation, and perhaps particular individuals, is a piece of work that takes considerable time,” he said.

“Even if we got to that point, whether that got called out or not is a matter for other organisations—the government—not for the Australian Signals Directorate.”

Last month, the Department of Parliamentary Services conceded not all of the Essential Eight cyber rules had been implemented at the time of the breach.

It put this down to the need to offer flexbility to parliamentarians and their staff, including a "highly varied" amount of software and services, for not implementing all of the Essential Eight.