Public servant payslips among documents vulnerable during Barracuda cyber security breach

The community’s been assured that while several aspects of the ACT public service were vulnerable during a cyber security incident, there’s “no definitive evidence” any personal information has been stolen as a result.

Special Minister of State Chris Steel alerted the public on 8 June that a data breach had occurred through third-party email gateway system provider Barracuda.

Researchers have since suggested the attack on the software provider – which has hundreds of clients worldwide – has links to China.

In an update on Monday (31 July), Mr Steel said more than 120 ACT Government systems had been examined as part of the response to the incident.

“The outcome of this tells us the risk of serious harm to individuals resulting from this data breach is low,” he said.

Mr Steel explained investigations by public and private providers found three categories of information had been susceptible to access during the breach.

This included information from automated confirmation emails sent once a person had completed a government smart form, ACT public service payslips, and the scan-to-email function in some ACT public service offices.

“The categories of information were vulnerable between 12 November 2022, when the first unauthorised access was detected, and 28 May 2023, when the vulnerability was shut down as a result of the rebuild of the Barracuda email server,” Mr Steel said.

“The most important thing to note is we have not found definitive evidence of the removal of any data from our systems.”

Chief Digital Officer Bettina Konti acknowledged that while the risk to Canberrans was low, personal information was often included in the smart form automated emails.

“While this information was vulnerable during the period [outlined], there is no evidence, that we can find, of this information having been removed,” she said.

“There is no evidence of this information being misused, such as being posted on the dark web.”

She stressed another reason why the government was confident no information had been taken was because this wasn’t a “direct attack” on its systems, but rather a vulnerability created by a breach of Barracuda’s software.

“I think over 100 [of Barracuda’s clients], from memory, have been impacted by this incident in a very similar way to us in the ACT,” Ms Konti said.

Mr Steel stated the harm assessment determined no individual-level investigations would need to be done, however enhanced cyber security monitoring would continue to ensure no private or personal information was misused.

“Should any information become available that would change the risk of serious personal harm, appropriate actions will be taken, including notifications if necessary,” he said.

While no further action is necessary from the community as a result of this cyber breach and the consequent investigation, the ACT Government has acknowledged some people may still have concerns about their online personal data.

As a result, it has partnered with national identity and cyber support community service IDCARE, meaning its services will be available to Canberrans for free through the referral code ACTGOV23.

IDCARE case managers can work through any concerns in relation to personal information risks and any instances where it’s suspected information has been misused.

Contact IDCARE through the online form or by calling 1800 595 160. Specialist case managers are available from 9 am to 5 pm, Monday to Friday, excluding public holidays.