The New South Wales government has confirmed it was the target of a malicious phishing attack, after reports that a staff member from Service NSW clicked on a suspicious link from an email. According to an investigation by Service NSW, 47 employees’ email accounts were accessed illegally, while they are still working to confirm the scope of the attack on the personal information of customers. The compromised data in the email accounts breached largely related to transactions over the phone or over-the-counter at a Service NSW Centre. Service NSW has established a dedicated team to offer help to affected customers, according to ZDNet.
There’s one clear lesson from the breach against Service NSW: never underestimate email attacks. Phishing is probably the best known method of cyber attack, which often means that organisations assume it’s not a type of attack they need to worry about. This is incredibly counterintuitive, phishing is so popular because time and time again it proves effective, and criminals’ phishing techniques have become more sophisticated over recent years. Organisations should not expect that their staff will be able to spot them – protective technology should be in place.
In this case, almost 50 staff accounts were compromised. As Service NSW itself has identified, this makes it a significant breach because each member of staff will have emails that contain sensitive information of citizens of New South Wales. It will take a long time to work out just how much personal information could have been accessed by criminals and to alert everyone who could have been affected. Organisations should remember that cyber criminals, like all criminals, will use the point of attack with the least resistance and the least likelihood of triggering the alarm. Often that is utilising the easiest and proven techniques such as phishing.
No one ever expects to be hit with a large scale attack, but this is a timely reminder that they continue to occur – and even with the best security intentions, staff must remain vigilant.
Whenever governments are hit with an attack they are usually quick to admit it and announce to the public, or at least those affected, immediately. This is far from what private businesses tend to announce, as they may be influenced by insurers or PR agencies, preferring to keep such news under the radar.
However, I feel we could learn from such a delivery of information to better protect organisations. Reporting hacks and scams in business tends to help protect other organisations, and working collaboratively helps us reduce the future risk. There are also some excellent resources out there in the form of online training packages. With the majority now working from home, it is even more vital to retrain the workforce.