Service NSW rolls out MFA to 95 percent of externally-facing systems

Service NSW has introduced multi-factor authentication across almost all of its externally-facing IT system in the wake of last year’s phishing attack that exposed 736GB of data.

After bringing MFA to email shortly after the March 2020 data breach, CEO Damon Rees said the agency had now enabled the feature on all but five percent of externally-facing systems.

It follows funding to the tune of $5 million in last year’s state budget for cyber security upgrades at the one-stop shop for NSW government services.

“That [MFA] rollout has now covered 95 percent of our externally-facing systems,” Rees told a budget estimates hearing on Wednesday.

He added that “other technical controls” for email had also been hardened such as “limiting the third-party applications that could be used to access email from mobile devices”.

Lack of MFA was labelled a key contributing factor to the breach that claimed the personal information of around 103,000 customers, according to a post-mortem.

The review also found Service NSW had put off implemementing MFA on email, despite being warned of the risk it posed two years before the attack.

Rees said the MFA rollout across external systems was one of three priorities aimed at  strengthening the agency's security posture as part of a cluster-wide ‘program trust’ uplift.

“Our principal three priorities to date have been the MFA rollout, vulnerability management and remediation and uplifting alerting and monitoring around cyber security incidents,” he said.

The uplift of alerting and monitoring includes “integrating with the new security operations centre that Accenture will deliver for the Department [of Customer Service]”.

As reported by iTnews earlier this year, Accenture is one of several new external providers of IT services appointed after the government replaced its long-standing shared services arrangement with Unisys.  

Accenture will provide security operations services, including Essential Eight management and security incident monitoring, over the next three years under a $9.9 million contract.

Rees also said that the agency is continuing to remove emails that are older than 60 days from customer-facing accounts, which had reduced the size of mailboxes by 92 percent.

Service NSW is similarly “in the process of removing the dependency on email for the transfer of information across all of our business processes”, but did not elaborate on that effort.

Earlier this year, he said Service NSW had started piloting a series of secure data transfer applications to replace the use of email for sharing personal information.

There is also a significant program underway to strengthen Service NSW’s cyber security posture under the Department of Customer Services’ ‘program trust’.

Still unable to reach 40,000 impacted customers

While efforts to prevent another phishing attack from occurring have progressed, Service NSW has still been unable to notify 40 percent of customers who had personal information stolen.

“Of the 103,000 people that we identified had some level of data in those [compromised] mailboxes, we were ultimately successfully able to send letters to 63,500 of them,” Rees said.

In March, around 54,000 people were still yet to be notified, including 36,000 that were never contacted because Service NSW was unable to source a current residential mailing address.

A further 18,500 had not signed for the notification letter sent via registered mail in the first round of notifications.

Rees said the agency had attempted to recontact the remaining 18,500 people in a final round of notifications using non-registered mail, but by the end, 39,500 people were still yet to be notified.

“If you put all [the notifications] together, 63,500 customers were ultimately successfully notified out of the 103,000, he said.