The South Australian Government (SA Gov) have been affected by a data breach of over 80,000 staff enrolled in their payroll system provided by Frontier Software.
This is now the largest Australian Government data breach on record.
For those unfamiliar with Frontier Software, they are the providers of the Chris21 platform used by many government bodies across Australia. Frontier Software is a ‘vendor’ to the SA Gov and the other government bodies.
This data breach reinforces the fact that no matter how strong an organisation’s cyber security practices, never neglect the cyber security posture of your vendors, third parties and suppliers who hold sensitive information.
The data breach incident
Frontier Software first reported experiencing a cyber incident on the 16th of November 2021 with specifics of the incident limited to system users. The data breach resulting from the incident was first discovered on the 8th of December 2021 and quickly confirmed by the South Australian Government on 9th December 2021.
The SA Gov were quick to act and transparent in disclosing what type of data was breached. The payroll data leaked included all sensitive information that is typical of employment enrolment such as names, residential addresses, dates of birth and even the more critical tax file numbers and banking details.
While the response by SA Gov to monitor affected individuals was quick and may prove effective, the data is still out there and often breaches are held for years before actually being exploited. The individuals affected may see unusual activity long after the increased monitoring has worn off.
Aside from the reactive approach, what proactive measures were missing that could have prevented this breach from ever occurring?
Our analysis – What we found
Using a combination of our vendor assessment tools looking at billions of datapoints, we were able to determine the weak point in Frontier Software’s security and provide a grading.
Email security was the red flag, scoring a mere 206 out of 950, resulting in a D rating. The rating was based on two critical outstanding risks, being no email SPF policy and no email DMARC policy.
These two policies are both free and simple to setup. Having neither of these meant anyone with an internet connection could easily send a fake email using real Frontier Software email addresses in a matter of minutes. A simple task that anyone with basic google knowledge could undertake thanks to some cheeky online tools that are available to the public.
There is a high probability that the lack of basic email security is the source of the ransomware attack experienced by Frontier Software. Statistically, email phishing is the most common form of attack in Australia and the lack of security would have allowed a threat actor to easily emulate a genuine internal email between staff.
Security in other areas such as network, website and malware security were on par with the industry average for third party software vendors, scoring an average of a low B rating. This in itself could be another red flag for the inadequate state of the industry average relating to cyber security. In an industry focused on providing software as a core product, cyber security should be one of the greatest strengths.
In the last week we have seen Frontier Software’s security scoring slowly increase to break through the industry average overall. Perhaps a response to the ransomware attack, though unfortunately too little too late. Organisations should be addressing these issues prior to a data breach and having independent assessments performed regularly to test and validate their controls.
How we find potential data breach vulnerabilities
A risk assessment much like the one we performed on Frontier Software requires a combination of tools that check external public facing security controls. This is the same place that a threat actor would start and often using similar tools to search for the weak points. Once we identify them, these weak points are categorised into different types of security and given a severity rating based on their potential impact.
By identifying these weak points and providing remediation advice, organisations can set a clear path and prioritise the changes required to ensure higher impact threats are mitigated before they occur.
What could they have done to prevent the data breach?
It is easy to point the finger and blame the software provider for having poor controls that resulted in a data breach. In actuality, it is both sides of the fence that are responsible for the lack of controls.
The poor state of Frontier Software’s email security not only highlights that independent cyber posture assessments weren’t performed, but it also means Frontier Software’s clients and vendors do not have strict enough due diligence processes that are catered to the vendor. A software provider should be assessed for specific technical controls such as email security policies before they are onboarded.
Organisations should be monitoring and assessing their own and their vendors’ cyber postures at least annually. With the rapidly evolving cyber threat landscape, choosing to assume a secure environment or vendor can have drastic effects in a mere matter of months.
If Frontier Software had penetration testing or cyber posture assessments performed annually, these weak points would have been discovered upon initial assessment and could be rectified within a matter of days.
Similarly, if a client utilising their payroll suite had independent vendor assessments performed annually, these issues would have been identified and a roadmap put in place to rectify them before it is too late.
Email security is best addressed through the implementation of three security policies. SPF, DKIM and DMARC policies cost all of zero dollars to implement and could be completed within a single day (especially SPF and DKIM). Many email service providers such as Microsoft have built-in tools that simplify the process and even generate policies for you.
Australia is falling behind the rest of the world
With such simple setup and zero cost that could easily prevent a successful cyber attack, we really are just one click away from poor cyber security.
Globally, the three email security policies mentioned above are widely adopted. Trends suggest as much as 80% of organisations have email security policies enforced preventing email fraud and what is also known as email spoofing.
Unfortunately, in Australia the trends are just as high but in the opposite direction.
- InConsult research into email security practices in one single NSW government sector in 2021 concluded that over 90% of 128 organisations analysed had no or poorly configured email security policies allowing a threat actor to easily deliver successful email phishing attacks.
- The NSW Audit Office reported in October 2021 that government agencies have made “insufficient progress to improve cyber security safeguards” since the introduction of the government’s cyber security policy, and “the poor levels of cyber security maturity are a significant concern.”
With the vast majority in that industry also reporting at least one successful phishing attack in 2020-2021, it’s difficult to ignore the link between the poor email security and data breaches.
Don’t forget your vendors! Independent cyber posture assessments are crucial in not only identifying flaws but ensuring they can be prioritised for remediation. There is good reason that the most commonly used cyber security frameworks have a heavy focus on independent cyber posture assessments and independent vendor assessments.
How we help strengthen vendor risk management
Organisations understand the risks of doing business with third-party vendors, but they often lack the resources or expertise to implement and maintain effective vendor risk mitigation strategies — which could turn out to be costly. We have the expertise to help you gain insights into your vendors’ risks and recommend remediation strategies.
Our experienced cyber risk team use industry leading technology to monitor millions of companies, scan billions of data points and send targeted cyber security questionnaires to answer the question – How Risky or Secure Are My Vendors?
Our Vendor Domain Scan and Cyber Security Questionnaires delivers 6 benefits to you:
- Know your vendors’ cyber security posture: Our analysis will provide insight into vendors’ cyber security posture and include an overall security rating.
- Pinpoint the gaps and vulnerabilities: We help expose the vulnerabilities that may be exploitable on vendors’ websites and their cyber security practices.
- Compare vendors across the ecosystem: Our executive reports identify which vendors pose the highest risk across your entire vendor ecosystem.
- Security questionnaires: Targeted cyber security questionnaires with workflows allow deeper insights into a vendors’ security practices.
- Targeted reporting: We group risks into website risks, email security, network security, phishing & malware, reputation and brand protection.
- Start a conversation: You can work closer with your vendors to communicate, discuss and remediate any gaps or just stop using higher-risk vendors.
Take the next steps
Don’t play the waiting game. The SA Gov data breach is a timely reminder that you should not neglect the cyber security posture of your vendors and how your organisation manages vendor risks.
Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations manage cyber risks and opportunities. We have extensive experience in vendor risk management, cyber risk management, vendor audit and assurance, crisis management and business continuity.
If you would like support in becoming a more cyber resilient organisation, contact us to discuss your needs.