Service NSW: A cyberattack case study close to home

The rising number and complexity of cyberattacks in Australia post-pandemic makes cyber resilience planning a more difficult task for private companies and governments alike.  

Even with optimal software, infrastructure and vendor support, the shifting cyber threat landscape compounds strain on IT resources and management, increasing the odds that one successful attack will break through. But when best practices aren’t followed, or when cyber awareness in general isn’t up to scratch, organisations might as well be hanging an invitation to cyber threat actors on their front door. 

More details have been coming to light about the data breach of Service NSW, the public web portal called a “one stop shop for NSW government services”, where around 736GB of sensitive data was exposed to attackers between March and April 2020. The incident prompted a NSW parliamentary enquiry, along with a series of recommendations that every organisation can apply. 

Learnings from the Service NSW incident 

In the incident, hackers gained access to the email account of a Service NSW employee by launching a targeted spear phishing attack, compromising the personally identifiable information of more than 100,000 NSW residents across several intrusions. It’s estimated that the breach could end up costing the service agency up to thirty million dollars. The incident is a big wake-up call to both public and private organisations to rethink their cybersecurity and proactively manage their risk. 

According to the findings of the enquiry by the NSW Upper House, there are a few key areas that would enable organisations like Service NSW to mitigate their level of cyber risk.  

Major risk areas include a lack of multifactor authentication and the use of unsecured email. Many government agencies rely on email to share personal information out of necessity, given the universal nature of email as a communication channel. Actioning their learnings from the attack, Service NSW chief executive Damon Rees noted that the agency is actively pursuing a more secure alternative, while mitigating identified risks in line with recommendations coming out of the enquiry. 

How organisations can limit their exposure to cyber risks 

For a long time cybersecurity was something that most organisations didn’t think about often until something nefarious happened. Security by obscurity, or more colloquially, the head-in-the-sand approach was the norm. But times have changed, and out of that wild west period have emerged standards and best practices which no modern organisation can afford to ignore or fall short of. 

The NSW parliamentary committee recommended broadly overhauling the NSW state government’s overall cybersecurity strategy, and a deep review of its cyber policies.  
 
While the advice may apply to a conspicuous public example, any business entrusted with customer data should find the recommendations instructive in setting a cyber resilience baseline. 

Key recommendations to government in the committee’s report were: 

• Empower cybersecurity resources with more independence and increased authority to act 

• Work with industry to develop a cybersecurity skills framework 

• Increase clarity on cyber standards 

• Investigate ways to improve the security of IoT devices 

• Enhance sovereign cybersecurity capabilities by building up local industry 

• Establish principles around procuring on-shore services  
   

The long lead time necessary to implement cybersecurity best practices means we usually need to be considering tomorrow’s problems today. More than a year after the cyberattack that allowed hackers to access millions of internal documents, many of the recommendations are still being actioned.

Organisations need to take a proactive security posture 

One proactive response from the NSW state government was the establishment of a NSW Police security operations centre (SOC) to monitor and guard against cyberattacks 24/7 all year round. The SOC will empower police to protect the NSW government’s critical IT systems and their data from cyberattack, while also serving as a cyber threat awareness resource to NSW businesses. 

In this cyber arms race, attackers will continuously find new ways to leverage any advantage they can. Businesses and governments pooling resources, sharing knowledge, and working together to establish standards and practices that set a baseline “standard operating environment” of cyber resilience is one of the key ways that cybersecurity insights can flow downstream to the organisations with less resources. 

Cyber adversaries are always looking for their next target, and only by pooling our collective knowledge and resources can we empower all organisations, big and small, public and private, to build effective defenses against them.