Personal details and ACT government information potentially accessed in cyber security breach

An investigation is underway to see how much personal and government details could have been accessed following a data breach.

The ACT Government uses email gateway system Barracuda to support some of its ICT systems, which put up a notification on its website on 24 May that there had been a breach.

This essentially made data protected by the software accessible.

“This isn’t an attack on the ACT Government, this is an attack on Barracuda systems,” Chief Digital Officer Bettina Konti said. “It’s not a virus, it’s not malware, it is a vulnerability that was exposing information or making available information to a threat actor.”

Once the ACT Cyber Security Centre discovered the notice, it undertook a complete rebuild of the impacted Barracuda system to eliminate any ongoing vulnerability.

But while data is safe from further access, it’s unclear how much damage has already been done.

“We are some way through [investigation], which is what made us think that there’s a likelihood here we may have had some personal information involved, but we need to be able to complete the harms assessment to be clear,” Ms Konti said.

“The work that we’ve got to do now is to understand, during the period the vulnerability existed, what was the information that went through that system, what was it connected to and what information is in there that may have been able to be accessed.”

As government directorates are linked through the system – including Access Canberra, health and education – it’s unknown how much data was exposed, and how much data was accessed.

It’s also possible information further back from 24 May could have been accessed, given Barracuda first started noticing vulnerabilities in its system back in October 2022.

“So if it is back as far as October then that increases the amount of data we need to trawl through to try and understand what may have been accessed, whether anything has actually been taken,” Ms Konti said.

Digital and Data Special Minister of State Chris Steel said investigations so far showed there was a “strong likelihood” of a breach but the person or group behind the vulnerability had not been identified.

“At this stage, we are not aware of any information that may have been accessed on any ACT Government systems being made available on the dark web,” he said.

“The threat actor themselves have not been in contact either with ourselves or, as far as we’re aware, Barracuda.”

He explained while there’s no evidence thus far of Canberrans’ personal information being accessed, that was being investigated and it’s possible it could have been taken from automated emails.

“We do believe there is a likelihood that some information could have been accessed through the vulnerability,” he said. “The type of information though that we’re talking about is likely to come from a subset of automated emails related to government systems that have been impacted.”

This includes if someone had filled out an online form and received an automated email in reply containing some of the information they had inputted.

The ACT Cyber Security Centre is working with the Australian Cyber Security Centre and Barracuda Networks on the ongoing investigation.

Mr Steel said that given the cyber security environment, this highlighted the importance of being vigilant with online information.

“Unfortunately what we’ve seen is an incident occur in a system that was actually up to date and where there was no mitigation that we believe was possible to put in place to address this [type of] issue, but nonetheless it has occurred and we need to respond and manage it,” he said.

“It’s now for us as the ACT Government not a question of if this will happen but when, and we’ve been preparing now over many years to try and harden our cyber security measures.”

The ACT Government has committed to weekly updates on the incident, to be communicated through Access Canberra.