Incident Of The Week: Australian Government Directory Breached In First Cyberattack of 2019

The first data breach of 2019 came less than 24 hours into the new year when the private data of 30,000 Australian civil servants was stolen in a phishing attack. The breach occurred when a directory was downloaded by an unauthorized third party after a government employee in the state of Victoria received a phishing email.

The stolen data included details such as work emails, phone numbers and job titles. Staff were told no banking or financial information was held in the directory, according to ABC Network Australia.

University of Melbourne cyber security and privacy researcher Suelette Dreyfus told the network that although it did not appear the stolen data was highly personal or sensitive, the dataset as a whole could prove valuable for a more targeted attack.

"If you take even small snippets of information and you aggregate them into a dataset, you can then get an image of the entire state government because you know all the different people, their positions, their phone numbers … and you can figure out where the power center is and who you would target if you were going to try to hack someone's email," the network quoted Dreyfus as saying.

"Whether that's for commercial reasons about winning a contract or whether you were an international state player who might have an interest — financial or policy wise — all of these types of people could be advantaged by the information that was actually hacked," she said.

The Premier's Department said it referred the breach to police, the Australian Cyber Security Centre and the Office of the Victorian Information Commissioner for an investigation. "The Government will ensure any learnings from the investigation are put in place to better protect against breaches like this in the future," a spokesperson for the department said in a statement, ABC News Australia reported.

Adnan Dakhwe, head of security and compliance at data security provider Vera, told Infosecurity Magazine that even when corporations have security measures and policies in place, they are often challenged when it comes to keeping pace with employee turnover, a common innocent mistake that can jeopardize the integrity of data.

“Too often organizations stall in revoking access to sensitive files and corporate folders, once employees have parted ways with the organization,” Dakhwe said. “Keeping access permission updated in real time is essential to ensure private data isn’t jeopardized.”