The ACT Government has completed the first phase of its investigation into the data breach that affected the Barracuda email gateway system, Digital and Data Special Minister of State Chris Steel has confirmed in an update.
The government was first made aware of the breach in May. The first phase of the investigation involved isolating and replacing the affected system to eliminate ongoing vulnerabilities; an initial assessment via the Chief Information Officer Network to identify the systems that interact with Barracuda; and engagement between the ACT Cyber Security Centre, the Australian Cyber Security Centre and external cyber security experts to support the response through regular checks.
In early June, the ACT Government announced the breach of the Barracuda system, which it uses to support some of its ICT operations. This, in essence, made data protected by the software accessible.
The incident impacted organisations around the world that use Barracuda systems. According to research conducted by Google subsidiary Mandiant, the breach likely originated in China.
Users of Barracuda systems were made aware of the breach in May, but ACT Chief Digital Officer Bettina Konti said Barracuda first started noticing vulnerabilities in its system in October 2022.
“Following the completion of phase one, we can confirm that there continues to be no definitive evidence of any information being removed or misused from our systems,” Mr Steel said.
”No customers of Barracuda affected by the breach worldwide have been contacted by the threat actor.”
Now the first phase of the investigation has identified the breadth and complexity of the work required, the second phase is underway. According to Mr Steel, this will include a “thorough analysis of identified systems and impacts”.
“With the completion of phase one identifying the systems that have the ability to interact with the Barracuda system, we are now working to assess each individual system and the scope of information that may have been exposed,” he said.
“In order to move through this phase as quickly as possible, we are also engaging external support.”
For now, the ACT Government has advised the public does not need to take any action, but the third and final phase will outline recommended risk-based actions the community can take once the analysis is completed.
“Given the complexity of phase two, it is expected that it will now be several weeks before we have meaningful information to pass on,” Mr Steel said. This information will be available via Access Canberra.
“With many types of cybercrime, it is often not possible to identify all information that may have been compromised,” he said.
”This, combined with information that many of us are sharing online via social media, means that taking precautions to protect our personal information is now more important than ever.”