Western Australia’s auditor was so concerned about vulnerabilities in the state’s registry system last year that she took the unusual step of delaying the release of findings so the issues could be addressed.
Caroline Spencer made the revelation in a one-off audit [pdf] on Thursday, a full 18 months after tabling the 2019 information systems review that would have otherwise detailed the vulnerabilities.
The registry system, which sits within the state’s Department of Justice, is used to “manage information on all births, adoptions, deaths, marriages and change of name records for WA”.
“The results of the audit were so concerning that, in a highly unusual step… I decided not to include the results of this application controls audit in the May 2019 report to Parliament,” she said.
“I considered that publishing the significant findings at that time, when the system vulnerabilities still existed, would not be in the public interest.”
The audit had found the system was “at risk of unauthorised access, alteration and disclosure due to inadequate database controls, security vulnerabilities and insufficient monitoring of changes”.
Security vulnerabilities included “unsupported third-party applications, misconfigurations and missing security patches.
“These vulnerabilities were present on the web, database and audit reporting services across the development, test and production environments,” the audit report said.
The audit also found there was no logging or auditing, no data encryption to protect confidential information, weak passwords for the system admin account and poor disaster recovery planning.
Justice has since undertaken “significant work” to improve information security, though “more work is needed” to protect the confidentiality and integrity of sensitive data contained in the system.
Spencer said the decision to exclude the findings from the 2018 report was made on public interest grounds, as the system contains identity records that are “foundational to a civil society”.
“Knowledge of the weaknesses in this system would be of keen interest to those with malicious intent who seek financial or other gains from the alteration or access to foundational identity records of WA citizens,” she said.
“The risk is higher due to other weaknesses in the Department of Justice’s broader IT environment, also identified by this Office in previous audits over the years.
“These have included weak network security, access and vulnerability management controls, which are designed to protect the confidentiality and integrity of sensitive and privileged data.”
Spencer said that over the last 18 months the department’s director-general has provided regular updates on the progress of the work, which the audit office has independently verified.
“It was important to address these aspects before public reporting, else it may have exposed a critical system and dataset to deliberate harm,” she added.
The audit office has made six recommendations to be implemented by December 2021, including that controls for systems that store sensitive information continue to be strengthened.