The simple click of a mouse was all it took to punch a digital hole in what should be one of the country's most secure IT systems, Federal Parliament.
"A small number of users visited a legitimate external website that had been compromised," Senate President Scott Ryan told a parliamentary committee.
"This caused malware to be injected into the parliamentary computer network."
He also revealed that security agencies monitored the hack for eight days after they discovered it on January 31.
They shut the system down on February 8, after two senators and a small number of lower house members had "non-sensitive" data stolen.
An email was sent out advising users of the hack, though some users could not read it because the shutdown knocked out Parliament's IT system until each user's password had been reset.
The Government is refusing to provide further details of the hack, citing national security.
The ABC can reveal security thwarted another attempted attack a fortnight ago.
An email was sent to users on October 31, advising an Emotet Trojan malware had been detected in the system, similar to that discovered in the Queensland and South Australian healthcare systems.
It temporarily banned users from accessing personal email accounts like Gmail from the parliamentary system.
Parliament regularly runs cyber hygiene courses for the system's thousands of users but they are poorly attended, according to Labor MP Tim Watts, the shadow assistant cybersecurity minister.
"It's a common practice in the corporate sector these courses are mandatory; that's not the approach the parliament has taken," he said.
"We need to significantly increase the sense of urgency among MP's and staff about cyber hygiene and how to protect themselves."
And he said it was possible January's attack was a "watering hole" style operation which "involves setting up a website or infecting an existing website that is known to be used by particular groups".
