Errant security certificate behind six-hour Senate web service outage

An expired security certificate caused a six-hour outage to the real-time web service used by parliamentarians to track senate activities.

The Department of Parliamentary Services (DPS) officials revealed the cause of the outage to a Senate estimates committee, during which they also said there had been three other outages of APH.gov.au, or parts of it, since October last year.

DPS had previously been undescriptive when contacted by iTnews during the outage last week, which primarily impacted the ‘Dynamic Red’ senate tracker. The Dynamic Red is widely used by parliamentary staff, media and the public to monitor daily Senate procedures and designed to update in real time.

However, during the outage, the site consistently returned server error messages for hours rather than the expected itemised, live timeline of events.

Deputy secretary and chief operating officer Nicola Hinder said the security certificate for Dynamic Red and a handful of other web services unknowingly expired, because it was undocumented and with an unapproved provider.

“This was also a highly unusual circumstance,” Hinder said

“This certificate was held [with] a provider that was outside the range of our normal certificate providers, and was [in] the name of an ex-employee as opposed to being held within the name of the Department of Parliamentary Services. 

“The passwords etc for the underpinning digital certificate were also not held, which is outside normal practice.”

Hinder said it took time for DPS staff to determine the root cause of the issue, verify itself as the certificate owner, renew the certificate with its normal provider, and enable the change to restore services.

DPS chief information officer Mike Webb said the department had all its other security certificates with one provider to ensure visibility and continuity of service.

“We have a standard process where certificates are with one certificate authority, which provides us visibility of all certificates in the APH network and the parliamentary computing environment,” Webb said.

“The expired certificate was issued from a different certificate authority, which wasn’t documented and wasn’t consistent with our standard practices, which is why it wasn’t able to be identified until it expired and impacted services.”

Webb said that APH.gov.au, or parts of it, had previously been impacted by three other outages between October 2025 and now.

Most recently, the APH.gov.au website was impacted by the YisouSpider web crawler on January 23, which “overloaded the website for several hours until [it] was mitigated.”

Before that, an unspecified “integration service” and a Microsoft Azure dependency caused shorter outages.

Webb also revealed that DPS had blocked “more than 7000 phishing attempts”, 36 attempts to inject malware and investigated “another 1360 other cyber alerts” since October 2025.