In a series of reports in recent months, Auditor-General Brendan Worrall has highlighted how various State Government computer systems are still vulnerable to cyber crime, whether through the hacking of information or interference with essential services.
Some agencies have even been ordered to make immediate changes.
Today, in a government-wide audit tabled in parliament, Worrall pointed out that cyber warfare had seen “a significant and sustained escalation since the start of the pandemic in February 2020”.
CITEC’s Queensland Government Cyber Security Operations Centre is now dealing with an average of 30,000 cyber attacks per day that aim to shut down a system or network. The number of attacks each month doubled in the year to August 2020.
“There has also been a significant increase in phishing across the private and public sectors,” Worrall wrote, pointing to attempts to register false government websites.
“Phishing scams trick people into providing confidential information through email or message platforms.
“For the year to July 2020, the average number of phishing attacks increased by nearly 200 per cent, with attacks in August 2020 increasing by more than 800 per cent to over 8 million—the highest number recorded in a month in the Queensland public sector.”
Worrall again called for public sector agencies to take cyber attacks more seriously and safeguard government and consumer information.
In 2019-20, his team identified six ‘significant’ deficiencies and 27 deficiencies in the agencies audited.
“Security is like a chain: one weak point can disrupt the integrity of the whole structure, Cyber security is only as strong as the weakest link.”
The auditor’s warning came soon before it was revealed an unknown third party had accessed the data of patients and potentially staff CVs at one of Queensland’s leading medical research institutes.
The QIMR Berghofer Medical Research Institute has apologised after it was notified that its data stored on an external fire-sharing system hosted by Accellion was breached.
The institute said about 620MB of data – including clinical patients’ information like their age, sex and ethnic group and potentially staff member CVs – were accessed last Christmas Day, December 25.
“The likely data breach, by an unknown party, appears to have been caused by a vulnerability in Accellion’s system,” QIMR Berghofer said in a statement.
The breach also affected some of Accellion’s international clients and the institute shut down the software and launched an investigation.
QIMR Berghofer said the hacked data related to clinical trials of anti-malarial drugs but no personally identifying information, such as patients’ names or contact details, was accessed. CVs of 30 current and former staff may have also been accessed.
QIMR director and chief executive Fabienne Mackay apologised for the breach and says the Accellion system has been decommissioned.
“We are very concerned that some data appears to have been accessed and I want to say a sincere sorry to our stakeholders, particularly our clinical trial partners and members of the public who took part in our anti-malarial drug trials,” Mackay said in a statement.
“These trial participants do a wonderful community service by helping to speed up the development of new drugs for a disease that kills about 400,000 people every year.
“We don’t believe that any of the information in Accellion could be used to identify any of these participants, but nonetheless, I want to apologise sincerely that some of their de-identified information could potentially have been accessed.”
She said many of the files had to be kept for 15 years but they did not need to be stored externally.
She said the institute was reviewing whether third-party systems should be used or more secure locations were available.
She stressed there was no indication QIMR Berghofer had been directly targetted and it was more likely caught up in a breach aimed at Accellion.
The institute has reported the breach to the Australian Information Commissioner and the Australian Cyber Security Centre.
-ADDITIONAL REPORTING: AAPJump to next article