Queensland’s water service was exposed to a major cyber breach that broke through to its web server and remained undetected for nine months, the state’s Auditor-General (AG) has revealed in its latest audit report.
The breach, which was found to have occurred from August 2020 to May 2021, resulted in unauthorised access to a state water entity’s web server, with hackers targeting “an older and more vulnerable version of the system”, the auditor confirmed.
The web server, which stores customer information, was found to contain “suspicious files that increased visitor traffic to an online video platform”.
Of particular concern to the auditor were “weaknesses” identified in multiple information systems used to prepare financial statements (financial, invoicing, and payroll); these vulnerabilities enabled hackers to breach the entity and effectively “remain undetected for nine months”, the auditor said.
The auditor added that it “[continues] to identify weaknesses in the information systems”, and urged entities “to establish stronger processes for monitoring access to systems”.
“Entities should only assign employees the minimum access required to perform their jobs.”
It was noted, however, that the breach “did not result in lost customer or financial information”.
The impacted entity implemented several measures to address the breach, the auditor acknowledged, including updating of software, the use of stronger password practices, and the monitoring of incoming and outgoing network traffic.
The breached water entity was one of six surveyed in the audit, with the AG identifying 11 security or systems access deficiencies (among which included three rated “significant” within a single water provider) across the sector.
“One entity’s control environment was assessed as ineffective due to three significant deficiencies identified during the audit,” which exposed the financial records systems.
The six audited Queensland water providers were Seqwater, Sunwater, Urban Utilities, Unitywater, Gladstone Area Water Board, and Mount Isa Water Board.
The breach resulted in the auditor issuing just a one recommendation for the state’s water entities this year: to address the security of their information systems.
The auditor noted that this was also “one of our three recommendations in Water 2020 (Report 9: 2020–21), and has become even more important this year as several entities have introduced new systems and there has been a recent cyber breach in one of the water entities”.
It remained apparent to the auditor that “not all the water entities have fully addressed this recommendation”.
“Water entities rely on information technology systems to operate their businesses and prepare financial statements. They must have strong controls over who has access to the systems and the information in them. Weaknesses in information technology controls increase the risk of undetected errors or potential financial loss, including fraud.”
“Immediate action needs to be taken to address ongoing security weaknesses in information systems.”
The AG noted in particular that as entities adopt more cloud-based services (which it says “provide remote access to systems”), “cyber risk vulnerabilities and exposures must be continuously assessed”.
“We have received responses from each entity on planned corrective action for the internal control issues raised.
“We are satisfied with the responses and proposed implementation time frames. However, we continue to identify significant control weaknesses in the security of information systems.
“This is a critical issue for water sector entities and should be addressed as soon as possible.”
New auditing tools on the way
The Auditor-General said the office is currently developing “new assessment tools for internal controls relevant to public sector entities”.
“They will provide the entities with greater insight into the strength of their internal control processes.
These tools focus on asset management, change management, culture, governance, grants management, information systems, monitoring, procure-to-pay (the whole procurement process), record keeping, and risk management.
The AG said it intends to begin using these tools in its audits from 2021–22.