Ransomware outed as cause of State Transit Authority outage

A ransomware attack was behind a three-day systems outage at NSW’s State Transit Authority earlier this year, the state’s auditor-general has confirmed.

In June, the Sun-Herald reported that Transport for NSW was investigating an outage that insiders had described as a “malicious hack”.

It saw the bus operator revert to paper-based processes, including for the scheduling of buses, across all eight bus depots.

At the time, outgoing transport secretary Rodd Staples downplayed any link between the outage and a cyber security incident.

“Based on information to date we do not believe this is linked to any other incident. Transport for NSW continues to invest in the highest level of cyber defence,” he told the Sun-Herald.

But in an annual review of the transport cluster released last week, the auditor-general said that a cyber incident had in fact caused the outage.

“On 11 June 2020, STA’s management detected a ransomware cyber security attack on the critical IT infrastructure of STA,” the audit states.

“The IT systems were taken offline to stop the spread of the ransomware.”

The report said that systems were recovered within three days, with business continuity plans enacted in the interim to ensure STA could continue to operate without their systems.

“The audit team performed additional audit procedures to confirm there were no material impacts on STA’s financial statements,” the audit states.

“This was raised as an internal control deficiency in the management letter to address the cyber security risk.”

A total of 56 management letter findings – or control weaknesses – were raised across the cluster, 15 of which related to IT processes and controls that support the integrity of financial data.

The Audit Office is currently conducting an audit into how Sydney Trains manages cyber security risks, which it said will also include consideration of Transport for NSW' cyber security.

It is also preparing to conduct a government-wide review in the first half of next year to examine whether agencies are complying with the government’s cyber security policy.

Under the policy, agencies are required to implement the Essential Eight, a series of baseline cyber mitigation strategies recommended by the federal government.

The majority of NSW agencies are continuing to report low levels of maturity against the Essential Eight, as revealed by the auditor-general last week.

Application whitelisting is an area of concern, with 70 percent of self-assessments by agencies falling into what the government calls ‘maturity level zero’.

Opal card loophole losses fall 57 percent

After years of multi-million dollar losses from a loophole in the Opal card scheme that lets people bin cards with negative balances, the audit reveals negative balances fell drastically in 2019-20.

It put this down to changes at airport stations that prevent customers with high negative balances exiting and increasing the minimum top up amount for new cards at these stations.

“As a result of the new measures, the total value of negative balance Opal cards during the year decreased by 57 percent to $1.3 million (2018–19: $2.9 million),” the report states.