WA’s office of the Auditor General was able to break into two sensitive state government networks by successfully guessing on the first attempt that the passwords for the admin account were ‘password’.
One of the networks contained thousands of highly confidential and sensitive records including information on minors, which the audit team says should only have ever been accessible by a small number of agency staff.
The team was able to download the records onto a USB device without detection. It then came back a week later and repeated the process, still without anyone noticing.
The case is just one the OAG outlined in a damning report on WA government information security handed down this week.
The report revealed seven targeted government entities had left their critical databases wide open to attack.
The report reviewed the effectiveness of information protection at the Department of Health, Department of Local Government and Communities, the Department of the Attorney General, Murdoch University, Curtin University, Legal Aid and the state's Drug and Alcohol Office.
It rated nearly half of all its findings as posing a 'high' or 'extreme' risk to the state.
The team found plenty of database administrator accounts where factory default passwords and usernames had never been changed. Other accounts were protected by ‘test’, ‘password1’, or ‘sqladmin’.
One database administrator account was protected by the password ‘DBA’.
Other administrator passwords had not been changed for over a decade. One database was administered using 17 highly privileged accounts for which the passwords had never been changed.
None of the 13 databases audited by the team had their production information or back-ups encrypted.
Only four were fully up to date with vendor patches, and one database had never been patched.
Despite the gaping holes in security, the audit team also found that none of the 13 systems were being consistently monitored for unauthorised activity.
It found unexplained misconfigurations in two of the agency databases which offered backdoors into database servers, potentially left there by undetected hackers.
“The reasons and real impact of these misconfigurations are not known, so are considered to be high risk,” the report stated.
Auditor General Colin Murphy said “all the agencies we audit understand the criticality of their IT systems to their operations, however, too many underestimate the risks that exist to those systems”.
He urged state agencies to “act on the recommendations of this report to help ensure the confidentiality, integrity and availability of information”.