A new advisory firm set up by former NSW digital minister Victor Dominello will be subject to a set of conditions imposed by the NSW Parliament, initially preventing it from working with companies bidding on state-run projects. The firm will also have limits set on what advice it can provide on policies that the former…
The post Conditions set on Victor Dominello’s new consulting firm appeared first on InnovationAus.com.
This post was originally published on InnovationAus.com.
The Albanese government has scrapped a major upgrade of the country’s business registers after an independent review found it would cost up to $2.2 billion to complete the project – five times what had been budgeted by the previous government. But the government will still be forced to spend at least $400 million at a…
The post ‘Burning $12m-a-month’: Govt scraps business register overhaul appeared first on InnovationAus.com.
Former Service NSW chief executive Damon Rees will lead the federal government’s independent review of the modernising business registers program, which Treasury estimates will cost $1 billion more than was budgeted by the Coalition. Mr Rees will conduct the four-month health check of the project aimed at consolidating the country’s legacy business registers in order…
The post Ex-Service NSW boss to lead review of business register overhaul appeared first on InnovationAus.com.
This post was originally published on InnovationAus.com.
New South Wales’ long-serving government chief information and digital officer Greg Wells will step down to become the new chief executive at service delivery agency Service NSW. Mr Wells, who has spent the last four-and-a-half years as whole-of-government CIO, will move into the top job at the state’s one-stop shop for government services next week,…
The post NSW govt technology chief steps down to lead Service NSW appeared first on InnovationAus.com.
This post was originally published on InnovationAus.com.
Nearly 40,000 people whose data was compromised in a massive Service NSW data breach last year will never receive official notification about the incident because of the type of data involved and the agency’s policy to deliver “personalised” notices through the post.
In a NSW Budget Estimates hearing on Wednesday, officials from Service NSW confirmed about 103,000 people’s information was compromised after a targeted phishing attack gave attackers access to its internal email systems between March and April last year.
But more than a year later, nearly 40 per cent of people impacted have not been contacted.
The agency’s chief executive Damon Rees said Service NSW had successfully contacted 63,500 of the people who had their data compromised. This was done through the post because Service NSW had advice that other forms of contact like phone or email would create further risks and because letters offered more “personalised” advice.
“[Registered letters] also effectively meant that a customer was signing for their own notification, and therefore we were able to provide a greater level of more personalised advice there,” Mr Rees said.
Letters were primarily sent via registered post, requiring the affected person to prove their identity and sign for the letter. However, thousands of letters were returned and Service NSW conducted a round of data matching with Transport NSW to obtain more current addresses and tried again.
Mr Rees said ultimately about 18,500 letters were unable to be delivered with registered post. A final round saw new non-registered letters sent to this group advising them to contact the agency.
“We weren’t able to personalise those final round mails in the same way,” Mr Rees said.
“But if you put all that together, 63,500 customers were ultimately successfully notified out of the 103,000.”
The Service NSW chief said the nature of the data involved in the breach also played a “heavy role” in the agency’s ability to identify people impacted.
Because the breach came through email accounts rather than a core system, it was difficult for the agency to correlate the information which had been compromised with individual people, according to Mr Rees.
“That meant the information that was extracted was highly unstructured in its nature. So it could be content within an email, it could be a scan of a handwritten document, it could be a scan of a receipt,” he said.
“So the unstructured nature of that meant that actually the level of information that was able to be extracted and our ability to correlate that information and recognise [certain individuals was difficult].”
A damming NSW parliamentary inquiry and report into government cyber security triggered by the incident recommended an overhaul of cyber security strategy and policies, including formal notification procedures for data breaches and a stronger mandate for Cyber Security NSW.
The government is yet to respond to report but launched a new cyber strategy in May. Department of Customer Service officials were unable to answer several questions on the report’s recommendations at the Budget Estimates hearing on Wednesday, taking many on notice and confirming a formal government response to the report is expected soon.
The post Forty per cent of Service NSW data breach victims not notified appeared first on InnovationAus.
This post was originally published on InnovationAus.
A NSW parliamentary inquiry has recommended an overhaul of the state government’s cybersecurity strategy and a review of its cyber policies in the wake of a serious data breach that resulted from cyber risks being ignored.
Nearly a year after a cyberattack on Service NSW that allowed hackers to access millions of internal documents, the incident is yet to be fully addressed.
Risky data practices have continued and thousands of NSW citizens whose data was involved were not notified. The breach is expected to cost the service agency at least $30 million.
The incident may have been prevented had the agency addressed the cyber risks it identified a year earlier, according to a NSW Upper House inquiry that has now called for structural changes.
Recommendations include strengthening the mandate and resourcing of Cybersecurity NSW, including moving the function from the Department of Customer Service to the Department of Premier and Cabinet.
Doing so would provide much needed independence from the state’s service providers, the inquiry found.
Of “urgent” importance is the establishment of a mandatory data breach notification scheme applicable to all NSW agencies and its contracted service providers, and a formal process for assisting people affected by a data breach, the committee said.
Currently neither measure exists in the state, an absence that contributed to enablement and poor handling of the Service NSW data breach that sparked the inquiry.
“The committee found that this attack was enabled by practices and systems within Service NSW that did not accord with best practice cyber security measures,” Committee Chair Tara Moriarty wrote in the report foreword.
“Compounding this incident, Service NSW was aware of the risks that led to the attack some 12 months earlier but had not acted sufficiently to address them.”
A targeted phishing attack on the service agency in March and April last year compromised data of more than 100,000 people when attackers gained access to Service NSW employee email accounts.
It took Service NSW three weeks to verify the incident and notify the minister. It took months more to notify users of Service NSW whose data had been exposed. And nearly a year after the incident, 20 per cent to 30 per cent of those affected had still not been notified.
A review of the incident by the NSW Auditor General in December found it was “unclear” why Service NSW had not effectively mitigated the risk prior to the breach.
Service NSW identified risks including a lack of multifactor authentication a year prior to the breach and had committed to addressing them in 2019 but failed to do so until after major incident in 2020.
“Service NSW is not effectively handling personal customer and business information to ensure its privacy,” the Auditor General concluded. “It continues to use business processes that pose a risk to the privacy of personal information.”
Service NSW chief executive Damon Rees told the parliamentary inquiry in February the agency has continued to use at least one high risk practice – sending personal information via email – as it worked on more secure alternative. But he insisted many of the risks have now been mitigated.
Other recommendations from the inquiry include a review of the “responsibility and resourcing” of the NSW privacy watchdog; more work from the government with industry to develop a cybersecurity skills framework; more clarity on cyber standards including mandatory ones for government agencies; investigating ways to improve the security of IoT devices; a strategy for improving the cyber safety of citizens; and more support to local councils to enhance their cyber capabilities.
The Committee also recommended the NSW government develop a strategy to enhance sovereign cyber security capability by building the local industry and establishing principles for procuring services onshore.
The post NSW readies state overhaul of cyber defences appeared first on InnovationAus.
This post was originally published on InnovationAus.