An audit into a Service NSW email compromise attack that exposed a staggering 736GB of data from the accounts of 47 staff member has called for the agency to take “urgent action” to address its alarming data handling practices.
The scathing review [pdf], released on Friday, by the NSW Audit Office found the one-stop-shop for NSW government services was “not effectively handling personal customer and business information to ensure its privacy”.
The report was conducted at the request of Customer Service Minister Victor Dominello in the aftermath of the attack that was originally said to have claimed the personal information of around 186,000 customers.
As reported by iTnews earlier this week, Service NSW now believes the number of people that had their information stolen by unknown attackers is closer to 106,000, though no data supporting this has been provided to the auditor-general.
The report said that technical analysis found that the agency likely suffered from two separate business email compromise attacks in “relatively short succession” between late March and early April.
“Analysis found that there were likely to have been two separate business email compromise instances, in which an external threat actor sent phishing emails targeting Service NSW employees from a spoofed domain (using a false domain name to make the sender appear legitimate),” it said.
“The malicious phishing campaign mimicked an Office 365 warning email, prompting Service NSW employees to visit a fake Office 365 login page which solicited the user’s Service NSW credentials.
“As a consequence, 47 staff members had their email accounts accessed without authorisation.”
The attacks led Service NSW to engage an external cyber security consultant in mid-April “after concerns were raised that an employee’s email account was used to send an email to 2725 Service NSW users, including content indicative of phishing attempts”.
While the full cost of the response is not yet known, the audit said the agency had “advised that it is expected to be in excess of $30 million” – more than four times as much as the $7 million figure contained in budget papers last month.
The cost includes “postage, legal and investigative resources, as well as external consultants, vendors and staff costs”, though “does not include any costs for remediation or compensation that may be required to be paid to affected individuals”.
The audit was particularly critical of Service NSW’s practice of “emailing of personal information by Service NSW staff to client agencies”, which it labelled a “key contributing factor” that the agency was aware of before the breach.
The agency uses this approach where client agencies “have not delegated transaction authority to Service NSW and where more secure forms of electronic exchange have not been agreed or implemented".
It does so with NSW Fair Trading and NSW Registry of Births, Deaths and Marriages for transactions, despite both agencies being within the same Department of Customer Service (DCS) cluster.
While Service NSW had sought to mitigate this by requiring that staff manually delete emails containing personal information, the report said that this was ultimately “ineffective in preventing the breach”.
“It is unclear why Service NSW did not effectively mitigate this risk prior to the breaches,” the audit said.
“However, Service NSW has advised that it implemented measures in June and October 2020 to automatically archive emails likely to contain personal information.
“This is expected to limit the quantity of information retained in email accounts for extended periods.
“Service NSW has not put in place any technical or other solutions to avoid Service NSW staff having to scan and email personal information to some client agencies.
“Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email.”
No multi-factor authentication on email
Another key contributing factor identified in the audit was a lack of multi-factor authentication, enabling the “external threat actors to gain access to staff email accounts once they had obtained the user account details through a phishing exercise”.
Multi-factor authentication had been highlighted as a risk during a 2018 audit of Service NSW’s implementation of the Essential Eight cyber mitigation strategies, which found the agency was observing “low levels of maturity for many of the eight strategies”.
“Among a number of control weaknesses, the audit found that multi-factor authentication was not enabled for high-risk areas, including webmail. It was agreed that management would finalise a strategy to address weaknesses by 30 June 2019,” audit said.
However, despite this agreement, the agency had not implemented multi-factor authentication at the time of the attack, though they have since done so through a $5 million cyber security uplift program.
Salesforce CRM control weaknesses
“Significant” IT and security control weaknesses were also identified in Service NSW’s Salesforce customer relationship management (CRM) system, including around the “governance of role-based access” and “partitioning of program specific transaction information”.
“These deficiencies create an increased risk of unauthorised access to the personal information of over four million customers held in the system,” the audit said.
The weaknesses were acknowledged in internal Service NSW audits, including one completed as recently as August 2020.
The audit also noted that the Salesforce system was now being used beyond its original intention, containing the details of over four million MyServiceNSW account holders, including names, email addresses and phone numbers.
“It was not originally intended for the system to hold this volume and nature of customer information,” the audit said.
Service NSW was also found not to “regularly undertake privacy impact assessments or reviews of existing or legacy processes and systems”, despite conducting PIAs on major projects on a regular basis.
The audit also noted that the “significant and rapid growth” in the number of transactions offered by the agency had “exacerbated privacy risks”, with “systems and processes designed according to previously existing parameters … retained”.
“This includes the need to store sensitive personal information including health, disability or Indigenous status, on a system such as the agency’s CRM system that was not initially intended to be used to store such information,” it said.
The auditor-general has recommended that DCS “implement a solution for a secure method of transferring personal information between Service NSW and client agencies” and “review the need to store scanned copies of personal information” as a matter of urgency.
Working with DCS, Service NSW will be expected to review its privacy management plan and other privacy policies and processes by March 2021, while all Salesforce CRM IT control deficiencies will need to be addressed by June 2021.
In a statement, Dominello welcomed the report’s finding and committed to implementing all of the recommendations, noting that a number were already complete, including multi-factor authentication on staff email accounts.
“Legacy systems - like those targeted in this attack which contained photocopied paper attachments – must be systematically removed and replaced with secure end-to-end digital systems,” he said on Friday.
“I sincerely apologise to those affected.”
Labor public services spokesperson Sophie Cotsis labeled the audit a “scathing report into the weaknesses and failures of the… government to ensure its citizens' information is kept secure and safe”.
“The personal information of 4 million NSW residents remains at risk, according to a report on the data breach released by the Auditor General,” she said in a statement.
“We will see many more incidents like the NSW Service breach until the Minister Dominello takes action.”
Cotsis also pointed to the ongoing problems around the cyber maturity of agencies, as highlighted in an audit report last week.
“The NSW government is putting the private information of millions of people at risk by failing to heed warnings that government agencies continue to be exposed to data breaches.”
“The Service NSW breach would not have happened if Minister Dominello had listened to the Auditor General’s repeated warnings that urgent action needed to be taken on cyber security.”