Within the last year the New South Wales government has suffered from several phishing attacks, one of the worst being in April of this year. The targeted attack to Service NSW resulted in the theft of more than 500,000 documents holding personal information that related to 186,000 people. It’s now being reported that this attack could have been prevented if simple security measures had been put in place, as well as preventing the majority of the other phishing attacks against the NSW government.
Responsible for managing things such as drivers’ licenses, as well as firearm, car and birth registrations, Service NSW is the main customer service hub for the New South Wales government.
As a result of the phishing attack, 47 staff user accounts were accessed. An investigation followed and after 4 months, they discovered that 3.8 million documents in those members of staff’s email accounts had been accessed and 500,000 of them contained personal information.
The attack occurred soon after Office365 (now known as Microsoft 365), the cloud-based email and software suite from Microsoft, was adopted by Service NSW. It’s come to light that two-factor authentication (2FA) or multi-factor authentication hadn’t yet been turned on by users, this would have required the attackers to authenticate logins with more than just a password.
The Guardian Australia was informed by the head of Cyber Security NSW, Tony Chapman, that not only this recent attack could have been prevented by 2FA being enabled, but also the majority of the other attacks that the NSW government faced in the past year.
Chapman said “My team last year had determined that 61% of incidents reported to Cyber Security NSW would have been prevented if multi-factor authentication was in place. So you can imagine it’s a key driver for me to educate across the sector.” He went on to add that they had also discovered a problem with employees using the same password for both work and personal email accounts.