1 August 2023

Public servant payslips among documents vulnerable during Barracuda cyber security breach

| Claire Fenwicke
Join the conversation
data breach press conference

Digital and Data Special Minister Chris Steel with Chief Digital Officer Bettina Konti and Chief Information Security Officer Julian Valtas outlining details of the security breach. Photo: Claire Fenwicke.

The community’s been assured that while several aspects of the ACT public service were vulnerable during a cyber security incident, there’s “no definitive evidence” any personal information has been stolen as a result.

Special Minister of State Chris Steel alerted the public on 8 June that a data breach had occurred through third-party email gateway system provider Barracuda.

Researchers have since suggested the attack on the software provider – which has hundreds of clients worldwide – has links to China.

In an update on Monday (31 July), Mr Steel said more than 120 ACT Government systems had been examined as part of the response to the incident.

“The outcome of this tells us the risk of serious harm to individuals resulting from this data breach is low,” he said.

Mr Steel explained investigations by public and private providers found three categories of information had been susceptible to access during the breach.

This included information from automated confirmation emails sent once a person had completed a government smart form, ACT public service payslips, and the scan-to-email function in some ACT public service offices.

“The categories of information were vulnerable between 12 November 2022, when the first unauthorised access was detected, and 28 May 2023, when the vulnerability was shut down as a result of the rebuild of the Barracuda email server,” Mr Steel said.

“The most important thing to note is we have not found definitive evidence of the removal of any data from our systems.”

READ ALSO Board of Inquiry report to be handed down to ACT Government, but findings will not be released yet

Chief Digital Officer Bettina Konti acknowledged that while the risk to Canberrans was low, personal information was often included in the smart form automated emails.

“While this information was vulnerable during the period [outlined], there is no evidence, that we can find, of this information having been removed,” she said.

“There is no evidence of this information being misused, such as being posted on the dark web.”

She stressed another reason why the government was confident no information had been taken was because this wasn’t a “direct attack” on its systems, but rather a vulnerability created by a breach of Barracuda’s software.

“I think over 100 [of Barracuda’s clients], from memory, have been impacted by this incident in a very similar way to us in the ACT,” Ms Konti said.

Mr Steel stated the harm assessment determined no individual-level investigations would need to be done, however enhanced cyber security monitoring would continue to ensure no private or personal information was misused.

“Should any information become available that would change the risk of serious personal harm, appropriate actions will be taken, including notifications if necessary,” he said.

READ ALSO The future is now: national program preps ACT’s next generation for growing space industry

While no further action is necessary from the community as a result of this cyber breach and the consequent investigation, the ACT Government has acknowledged some people may still have concerns about their online personal data.

As a result, it has partnered with national identity and cyber support community service IDCARE, meaning its services will be available to Canberrans for free through the referral code ACTGOV23.

IDCARE case managers can work through any concerns in relation to personal information risks and any instances where it’s suspected information has been misused.

Contact IDCARE through the online form or by calling 1800 595 160. Specialist case managers are available from 9 am to 5 pm, Monday to Friday, excluding public holidays.

Join the conversation

All Comments
  • All Comments
  • Website Comments
Tom Worthington11:02 am 03 Aug 23

Automated confirmation emails shouldn’t contain any sensitive information. Similarly, there is no need for sensitive information in public service email pay advice (the employee can log in to get the details). Scan-to-email is more troubling, as those messages could contain sensitive information. Perhaps that function should be disabled in public service offices.

Is Chris Steel a Russian agent piece by piece bringing down the system from the inside? If so, he’s doing an unprecedentedly remarkable job.

Not a week goes by without news of another stuff up or negative finding by the Auditor General or a review panel.

Few. A thorough investigation and only staff personal details including addresses, pay details and bank details.

So glad we have Minister in a State Chris Steel at the helm. Complex Systems theorists and cyber crims can relax.

The payslips don’t have bank details.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.