A Western Australian council paid approximately $350,000 to an unknown third party, following a phishing attack that allowed a threat actor to fraudulently change a supplier's account details in its finance system.
That breach is one of 14 case studies in the Western Australian Office of the Auditor General's Local Government 2025 – Information Systems Audit Results which points to fewer IT control weaknesses year-on-year, but also lingering, unresolved problems for local authorities.
The audit report classifies the incident as a successful social engineering attack, but doesn't say if the illicitly obtained funds were recovered or which entity suffered the attack.
Other eyebrow-raising case studies in the WA OAG report include a council's internal systems being reachable from its public lending library.
This is because the unnamed council had not effectively restricted network traffic between internal and publicly accessible areas, the OAG said.
The OAG also looked into physical security, and found that one entity had left the default administrator credentials in place on its building management system, potentially allowing attackers to access door, lighting and temperature controls.
In a third case, one local government entity's server room did not have a fire suppression system, and had structural damage to the walls.
Overall, insufficient access management controls were identified as having the greatest number of weaknesses of any audited category, with 78 issues across 36 entities.
Of these, 17 percent were rated as "significant", with over half of them (59 percent) carried over unresolved from the previous year, the OAG found.
Only one entity met the access management benchmark, and just two WA local government entities met the endpoint security benchmark.
"These weaknesses put entities at greater risk of service disruptions, disclosure of ratepayers' data, financial loss and reputational damage," the OAG said.
On the upside, the number of control weaknesses in total dropped from 360 in the previous year at 89 entities, to 333 at 68 agencies.
Capability maturity dropping for all categories
At the 15 selected entities audited, capability maturity assessments showed a decline across all 10 control categories compared to last year.
This is partly due to four new entities being included for the first time, the OAG said, but the 11 entities audited last year nevertheless declined in six of the 10 categories.
OAG intends to gradually increase the number of entities subject to capability maturity assements, for further insights and to assist with continuous improvement in the local government sector.
Training, not technology spend the fix
Auditor General Caroline Spencer made it clear that remedying the problems does not require significant capital spending.
"I encourage all local governments to learn from these findings and implement effective controls, many of which do not require costly technology," she said.
"Instead, uplift requires an ongoing awareness of risk and constant effort and vigilance," Spencer added.
The report recommends councils implement phishing-resistant multi-factor authentication, run regular security awareness training for all staff, conduct pre-employment screening for positions of trust and establish effective offboarding procedures.
Meanwhile, the WA Department of Local Government, Industry Regulation and Safety is working with the Office of Digital Government on a cyber security pilot project targeting the local government sector.
OAG's report is the seventh on general computer controls for local government entities.
_(33).jpg&h=140&w=231&c=1&s=0)
Melbourne Cloud & Datacenter Convention 2026
iTnews Executive Retreat - Data & AI Edition
The 2026 iAwards
_(1).jpg&h=140&w=231&c=1&s=0)
