Home Cyber Security TfNSW hit by another data breach

TfNSW hit by another data breach

TfNSW hit by another data breach

Transport for NSW has been hit by another data breach, less than a year after the Auditor-General delivered a report into the department’s cyber security problems.

NSW Auditor General Margaret Crawford.

The department revealed last week that its Authorised Inspection Scheme (AIS) online application was impacted by a cyber-incident in early April.

“During the incident, an unauthorised third party successfully accessed a small number of the application’s user accounts,” TfNSW said in a statement.

“Additional security measures were put in place and monitoring of the application is continuing.”

AIS is a system that allows examiners to inspect vehicles to ensure a minimum safety standard for various reasons, the most common being for annual renewal or transfer of registration.

TfNSW is notifying affected examiners and providing options to help them avoid further impacts from the incident.

“We recognise that data privacy is paramount and deeply regret that customers may be affected by this attack,” the department said.

‘Significant’ cyber security risks

In February last year, TfNSW was one of the global organisations that fell victim to the Accellion data breach, with data stolen from the file-sharing system.

It said the breach was limited to Accellion servers and no other Transport for NSW systems were affected, including systems related to driver licence information or Opal data.

In July last year, a report from the NSW Auditor-General revealed that TfNSW and Sydney Trains were not effectively managing their cyber security risks.

“Neither agency is fostering a culture where cyber security risk management is an important and valued aspect of decision-making,” the report said.

“TfNSW is not implementing cyber security training effectively across the cluster with only 7.2 per cent of staff having completed basic cyber security training.”

NSW Auditor General Margaret Crawford said her audit uncovered “significant risks” that both agencies failed to pick up.

Furthermore, the report revealed that both agencies were falling short of standards set out by the NSW Cyber Security Policy (CSP).

The CSP sets out 25 mandatory requirements for government agencies, including implementing the Australian Cyber Security Centre’s Essential 8 strategies relating to malware, cyber attacks and misuse, and data recovery.

Like this news?

Leave a Reply

Your email address will not be published.