June 21, 2018

June 21, 2018

Subscribe to Latest Legal News and Analysis

June 20, 2018

Subscribe to Latest Legal News and Analysis

June 19, 2018

Subscribe to Latest Legal News and Analysis

Cybersecurity vulnerability revealed after NSW Government agency’s 49-day hack

The NSW Government’s vulnerability to hacking has been exposed in a report by state’s auditor-general, in which it was revealed that one government agency took 49 days to shut down a hack.

This hack started with an email account of the unnamed agency being compromised and used to send out “phishing” emails to get the credentials of finance staff members. By day 20, 300 staff had clicked on the bogus link in the phishing email. 200 email accounts ended up being under the control of the hackers.

Shockingly, the password to the originally-compromised email account was only checked 42 days after the initial breach when it was found that it hadn’t yet been changed. The agency’s payments gateway (used for business invoices, staff salaries and superannuation) was offline for nearly 3 weeks while the hack was addressed.

One of the key findings in the report was that most IT service providers to NSW public sector agencies are, surprisingly, not contractually obliged to report incidents to agencies. Only two of ten surveyed agencies had contractual arrangements which obliged providers to report incidents in a timely manner.

This is vital for all public and private sector organisations. By including clauses in contracts requiring IT service providers to report all cyber security incidents within a reasonable timeframe, organisations not only pass on legal risk to their suppliers, but also ensure they are notified of all incidents for their own regulatory compliance. This is essential, for example, in order to comply with new mandatory data breach notification requirements which we recently blogged about.

Whether public service or private companies, there are now requirements to notify of serious data breaches, never mind the wisdom in knowing about it and ensuring mitigations are put in place to prevent further damage!  Time to check your key supplier relationships we suggest.

Harry Crawford also contributed to this post.

Copyright 2018 K & L Gates

TRENDING LEGAL ANALYSIS


About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm
Partner

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

+61.3.9640.4261