The NSW government has blocked access to an international file transfer company after servers at the state’s health and transport department were among those in major organisations hacked by international cybercriminals.
The move comes as the personal information of at least 104,000 people, including NSW staff accounts, were compromised in a phishing attack that occurred in April 2020, according to a NSW Inquiry into Cybersecurity (pdf).
Cyber Security NSW was first made aware of vulnerabilities to the Accellion File Transfer Appliance (FTA) in January and established “Strike Force Martine” with NSW police to investigate the impacts on the breach.
In a statement published Tuesday, the NSW government said it had “retired” all instances of the Accellion FTA “as part of the centralised response to protect customer and government data.”
It confirmed that government agencies—Transport for NSW and NSW Health—were among those affected by the attack.
“An assessment of the volume and value of data and any consequences for customers or government is underway,” the statement added.
“Forensic analysis by industry specialists has established there was no third-party access to major agency systems including the Driver Licence systems, the Opal travel systems, or electronic medical records systems used by public hospitals.”
According to the NSW Inquiry into Cybersecurity, close to 80 percent of the 104,000 individuals affected were notified of the data breach through registered mail.
However, NSW Auditor-General slammed Service NSW for not “effectively handling personal customer and business information to ensure its privacy.”
In response, CEO of Service NSW Damon Rees said the agency had begun reducing the risk of breaches by removing “all email held in the accounts of customer service staff that was over 60 days old.”
“Further controls” have been implemented to reduce further risk.
A lack of multi-factor authentication was also mentioned as a contributing factor to the breach.
Accellion File Transfer Appliance (FTA), a “20-year-old legacy product” (pdf), is an online file-sharing system developed by Californian cloud company Accellion that is used to store and share sensitive information. The system is expected to “retire” on April 30, the company announced (pdf).
In recent weeks, data breaches have occurred to approximately 300 organisations that use the Accellion FTA system, reported Gizmodo. Organisations include: Australian Securities and Investments Commission (ASIC) (pdf), QIMR Berghofer Medical Research Institute in Queensland, the Reserve Bank of New Zealand (RBNZ), and Harvard Business School.
According to Gizmodo, on Dec. 23, 2020, a bad actor hacked its way into Accellion’s client data via a zero-day vulnerability in its secure file transfer application.
The vulnerability was “patched” by Accellion within 72 hours, the company said in a statement on Jan. 12, 2021.
The NSW government said that scammers may try to capitalise on these events and that customers “should not respond to unsolicited phone calls, emails or text messages related to any security matter.”
On Aug. 6, 2020, Prime Minister Scott Morrison pledged AU$1.67 billion to support a ten-year cybersecurity strategy to protect the nation’s critical infrastructure.