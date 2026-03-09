A data breach that leaked personal information on minors, and invoice fraud resulting in the theft of $71,000 from Western Australian government entities can be traced to poorly configured Microsoft 365 security controls, the state auditor has found.

These are two incidents outlined in a new report by the WA Office of the Auditor General (OAG) which found a litany of security shortcomings in how seven state entities manage their M365 environments,

In the data breach incident, one entity that wasn't named by OAG emailed personal and sensitive information about 32 individuals, including minors, to a third-party service provider.

That service provider then uploaded the data to a Dropbox cloud storage account, which was subsequently compromised in a cyber security incident, exposing the information to an unknown threat actor.

The entity had no data loss prevention (DLP) controls in place, meaning it had no mechanism to detect that sensitive information had left its environment or to determine the full extent of what was exposed.

It had also not conducted a security assessment of the third-party provider during the vendor onboarding process.

OAG also described a targeted phishing email incident in which a senior officer's M365 account was compromised.

In that case, the threat actor exploited weak multifactor authentication (MFA) controls to register their own device from an unmanaged overseas location, effectively locking the legitimate owner out of their own account without triggering any alert.

The attacker then created email forwarding rules to conceal their activity from the account holder and spent weeks studying the officer's email history to construct a believable payment scenario.

OAG said the fraud at an entity that was not part of its M365 audit and identified separately, went undetected for a month.

During that time fraudulent invoices were sent and approved, costing the entity $71,000.

The entity in question recovered the money through insurance and its bank, but the audit noted the agency has not yet remediated the underlying M365 controls that made the attack possible.

Investigators were also unable to complete a full forensic review because the entity had not retained sufficient logs.

Missing security controls

OAG identified M365 security control weaknesses across all seven entities it audited.

For example, none of the audited agencies had implemented DLP controls broadly across all Microsoft 365 applications including OneDrive, SharePoint, Power Platform, Exchange and Teams.

All seven entities also allowed external data storage on unmanaged third-party services including Dropbox, Facebook and Google Drive, with no technical controls to prevent staff synchronising work data to personal accounts.

For authentication, the report said the entities relied on SMS text messages, voice and email one-time passwords.

Those are methods that the Australian Signals Directorate (ASD) has identified as susceptible to the phishing and social engineering methods that were used in the $71,000 theft.

Such weak MFA methods were responsible for 58 percent of security incidents affecting the Australian government in 2024-25, the report said.

Entities also allowed personal devices to register for MFA without enrolling them in device management systems.

Staff were not restricted from installing unapproved Microsoft Teams applications, and could use external code for Power BI.

This meant unvetted applications that may contain vulnerabilities, or malicious code, could be introduced by threat actors.

Most of the entities audited did not enforce content security policies for Microsoft's Power Platform either, which the OAG said increased their susceptibility to web based code attacks such as cross-site scripting, potentially allowing threat actors to manipulate content and steal information.

OAG also found that the entities' email protections were not fully effective, with controls to prevent impersonation of sensitive users and partners domains through spoofing not applied.

Other weaknesses found by OAG included some entities allowing any user to create M365 tenants, and become its highly privileged administrator.

Furthermore, OAG discovered WA government entities that allowed any user to invite guests to access sensitive data from anywhere, without requiring administrator approval, increasing the risk of accidental or intentional information leakage.

Log files, which ASD recommends should be kept for at least 18 months, were in some cases only retained for six months, OAG said.

"Effective management of M365 security is critical for protecting sensitive government data and maintaining uninterrupted delivery of essential public services amid evolving cyber security threats," WA's auditor general Caroline Spencer said.

Medibank parallels

The report drew a direct parallel to the 2022 Medibank data breach, which also originated through an exploited personal device used for authentication, and which ultimately exposed the private health records of nearly 10 million Australians.

Spencer's office assessed more than 160 security settings at each entity, benchmarking them against standards from the Center for Internet Security, the United States Cybersecurity and Infrastructure Security Agency (CISA), ASD, and Microsoft's own guidance.

The report recommends that entities adopt phishing-resistant MFA for privileged users, restrict data storage to approved locations, implement DLP controls across all M365 applications, and conduct security assessments of third-party vendors before granting access to government data.

Spencer said the entities can implement the OAG's General Computer Controls audit recommendations, adopt the ASD's Essential Eight, and the WA government's Cyber Security Policy.

This isn't the first time the auditor general has found serious issues in the IT systems used by state authorities.

In 2020, OAG discovered vulnerabilities in the WA Registry for Births, Adoptions, Deaths, Marriages and Changes of Name, that were withheld from publication for 18 months to allow the agency to address them.