Share this article on:
Data belonging to the South Australian government has been confirmed stolen, after hackers gained access to it through a third-party breach.
The breach was announced by South Australian State Treasurer Stephen Mullighan, who said that the threat actors had targeted a call centre previously contracted by a superannuation fund specifically dealing with state government staff called Super SA.
“A third-party provider who was contracted by Super SA, and other government agencies, to provide call centre services has experienced a cyber security incident,” said SuperSA.
“This affects a small cohort of Super SA members, and none of the data held by the third-party provider contains information post-2020.
“We can assure you that the security of member funds and our core operations have not been impacted.”
The incident follows the aftermath of another cyber attack that SuperSA suffered in 2019, leading it to hire the call centre to contact affected members, according to Mullighan.
Data obtained by the call centre was retained after the contract with SuperSA ended, which Mullighan has said is a major issue that is under investigation.
“It is still being investigated why that call centre provider had retained data on its systems relating to managing that particular agency’s client relations task,” he said.
“That raises … a series of further questions – what requirements are there for these agencies to not continue holding government data on their ICT systems after they complete doing work for government?
“It is absolutely clear that the way in which these incidents have been managed is not good enough because it’s causing the exposure of sensitive South Australians’ data to be exposed to illegal access.”
Mullighan expressed his frustration over the state government’s response to the breach, after he was made aware last week despite the breach happening over two months ago.
“It’s simply not good enough,” he said.
“The way government responds to this needs to improve because it is letting, on these sorts of occasions, thousands – sometimes many thousands – of South Australians down.”
For context, organisations that suffer a breach are required to notify the Office of the Australian Information Commissioner “as soon as practicable” and no later than 30 days after it becomes aware of the breach. While the breach did not affect the South Australian government itself, but a third party, two months is a long period to leave affected government staff in the dark.
Responding to the poor response to the breach and the delay in notifying those affected, Mullighan has called for the South Australian government to massively ramp up its cyber security response.
“Government agencies need to do a much, much better job at firstly, trying to insulate themselves as best they can against these attacks in the first place, but secondly, respond to them in a timely, thorough and appropriate way,” he said.
“I’m not convinced that the response from government agencies, let alone the external third-party provider here, has been timely, has been thorough and has been casting a mind as quickly as it should to the impacts to be borne by people who might be impacted by it.”