Service NSW slammed in security audit

New South Wales’ Auditor General has slammed Service NSW’s handling of personal customer and business information in the wake of back-to-back cyber attacks in March resulting in the compromise of “large amounts of personal information”.

Threat actors gained access to 47 staff email accounts that contained a large amount of personal information, the audit into the incidents found.

The audit found that Service NSW had failed to put in place controls to mitigate privacy risks it had identified prior to the attacks.

According to the report, Service NSW had identified that the emailing of personal information by staff to client agencies was a risk factor; the agency failed to effectively mitigate the risk prior to the breaches.

While some controls had been put in place, such as requiring staff to manually delete emails that contained personal information, these measures were ineffective at preventing the breach.

While Service NSW has subsequently implemented measures to automatically archive emails likely to contain personal information, the audit found that the agency has not put in place any technical or other solutions to avoid staff having to scan and email personal information to some client agencies.

“Urgent action is needed to remove the requirement for staff to email personal information to client agencies, thereby mitigating the risk inherent in sending and storing this information using email,” the audit found.

The attacks also exposed weaknesses in the IT and security controls implemented by Service NSW over its Salesforce CRM system, which holds the personal information of over four million residents, the audit found.

While a privacy impact assessment conducted on the CRM system in 2015 recommended that the system include the ability for customers to review access history to their personal information, as well as the option for customers to apply multi-factor authentication to their accounts, neither recommendation has been implemented.

According to the report, Service NSW’s privacy management plan also does not clearly set out the privacy obligations of Service NSW and its client agencies, and has not been updated to include new programs and governance changes.

This is partly due to the agency’s rate of growth outpacing the establishment of a robust control environment, according to the auditor general, which has exacerbated security risks.

The report into the audit urges Service NSW to implement a solution for a secure method of transferring personal information between Service NSW and client agencies without needing to rely on email, and review the need to store scanned copies of personal information at all.

By March, Service NSW should ensure that all new agreements entered into with client agencies address the deficiencies identified, and review its privacy management plan to address these deficiencies.

Service NSW has also been urged to address the deficiencies in its Salesforce CRM platform by June, and to update all existing agreements with client agencies by December.

Service NSW has committed to fulfilling all the recommendations by March 2022. Central to the reforms will be a move away from paper-based processes for the capture and transfer of customer information, the agency said in a statement.

The agency has already reduced the amount of staff data held in mailboxes by 92%, implemented multi-factor authentication on several critical applications, and appointed both a chief risk officer and chief privacy officer.

Image credit: ©stock.adobe.com/au/sasun Bughdaryan