The ACT government has suffered a security breach through an issue with an email security monitoring system, which had allowed malware to infiltrate the government system and may have resulted in data theft.
Months worth of government emails could have been exposed in the breach, an expert suggested, but the government is still investigating what could have been taken.
Special Minister of State Chris Steel said the government was not aware of any information being leaked on the dark web as a result of the breach, and no one responsible for the breach had contacted the territory.
"What we're announcing today is that there's a strong likelihood that there's been a breach. We've been transparent with the community that information about citizens may have been accessed in ACT government systems," Mr Steel said.
The issue with the Barracuda system was notified to system users on May 24, prompting the ACT Cyber Security Centre, which was established last year, to investigate, the government said.
The centre identified a breach and now a harms assessment has been commissioned to work out what data may have been accessed.
"We are confident that actions taken to date have contained the breach and that there is no ongoing threat. Canberrans can continue to use ACT government online systems with confidence," Mr Steel said on Thursday morning.
While investigations were continuing, Mr Steel said information provided to the ACT government in digital forms - which then send a copy of the form back to the person who submitted it in an email - was the type of data most likely to be affected.
There was no ongoing risk to users' devices who had interacted with the ACT government and while Canberrans were advised to remain vigilant, no further action was required at this stage.
The government became aware of the likely breach very late last week but had identified the vulnerability in May, Mr Steel said.
The government's Cyber Security Centre was working with the Australian Cyber Security Centre and Barracuda Networks on the investigation into the data breach.
"This incident is a reminder for everyone in the community to be vigilant about their personal cyber security, including monitoring their personal information online for any suspicious activity," the government said in a statement.
The government said it would provide weekly updates on the data breach.
ACT government chief digital officer Bettina Konti said the incident was not an attack on the ACT government but an attack on the Barracuda system. The government found out about the breach through the Barracuda website.
"It would have been useful for Barracuda and any other technology provider to notify their customers immediately. That said, Barracuda are not the only organisation that communicates with its customers, particularly when they've got hundreds of thousands of customers across the globe, through a website," Ms Konti said.
Ms Konti said the ACT government had completed a "virtual rebuild" of the Barracuda email system to ensure there was no ongoing vulnerability.
"We believe it to be safe and the vulnerability to be extinguished," she said.
Vanessa Teague, a data security expert and associate professor in the Australian National University's college of engineering, computing and cybernetics, said the ACT government's statement had showed transparency.
"It doesn't mean they think they have recovered any data that might have been leaked ... They believe they've plugged the hole rather than cleaned up the leak," Dr Teague said.
Dr Teague said it would be important for the government to contract people directly affected.
"If you use a gateway to protect the security of your email, and if it works great, that's great. And if it is vulnerable, then it's a single point of compromise of your whole email system ... I think Barracuda has been pretty transparent about it. I don't think you could ask for perfection; I think you can ask ask for honesty," she said.
"If you read what Barracuda has said, it really sounds like an attacker could pretty much control, read and or edit everything that went through the email system."
US-based Barracuda Networks Inc operates a series of cybersecurity services, including email protection, network protection and data back up.
The company first advised its customers on May 18 - almost three weeks ago - of an issue in its email protection system that scanned incoming email attachments that had allowed malware to steal data.
The earliest evidence of the vulnerability being exploited was in October 2022, the company said. The ACT government's investigation is now trawling through data back to this time.
"Barracuda Networks' priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks," the company said in an online statement.
On June 6, the company advised its customers to completely replace their email security gateways, after earlier issuing patches to fix the malware issue.
Mr Steel said it was a question of when, not if, governments would face cyber security breaches.
"Unfortunately, what we've seen is an incident occur in a system that was actually up to date and where there was no mitigation that we believe was possible to put in place to address this issue. But nonetheless, it has occurred and now we need to respond and manage it," he said.
Attorney-General Shane Rattenbury this week told the Legislative Assembly the government was in a stronger position to respond to cybersecurity incidents having learnt from how it handled a breach of Legal Aid ACT data in November 2022.
The government was also working to reduce, where possible, the amount of information it keeps on hand about individuals to reduce the impact of potential data breaches, he said.
We've made it a whole lot easier for you to have your say. Our new comment platform requires only one log-in to access articles and to join the discussion on The Canberra Times website. Find out how to register so you can enjoy civil, friendly and engaging discussions. See our moderation policy here.
