3.3 Cyber and data breach incident In March, SNSW was the victim of a criminal cyber-attack. Initially, this was reported to SNSW Cyber Security team after a high volume of spam emails were delivered into a range of users within SNSW. The incident was identified as a phishing attempt. The email was purged from staff mailboxes and newsflashes posted to all staff via the contact service desk to reset their password if they clicked the link in the message body. A subsequent event was discovered on 14 April when over 2,000 internal SNSW employees received an email from an internal employee's email address. SNSW Cyber Security Team identified this as a Business Email Compromise (BEC) and reported the event to DCS CISO and Cyber Security NSW. 1 https://www.service.nsw.gov.au/system/files/2020-01/25660 AnnRpt 18-19 FINAL ACCESS.pdf 2 https://www.digital.nsw.gov.au/article/beyond-digital-our-new-nsw-customer-digital-strategy 16 December 2020 Information Integrity Solutions Pty Ltd 16/106 SNSW and DCS engaged an independent cyber forensics firm, 'Crowdstrike' to investigate the incident. During the investigation Cowdstrike produced a technical report containing evidence of suspicious login activity from the user's mailbox used in the BEC and another 47 staff accounts. Through further analysis, on 21 April, Crowdstrike determined that 47 staff email accounts were accessed, and mailboxes synchronised to a remote server via the IMAP protocol. SNSW enforced password resets of the compromised accounts and engaged DCS Governance and Risk and Cyber Security NSW to report a data breach to IDCARE, the NSW Information and Privacy Commission (IPC) and the federal Office of the Australian Information Commissioner (OAIC). On 26 April, DCS migrated the SNSW email domain and staff email to the DCS Microsoft Office 365 Tenant. SNSW and DCS implemented a range of controls to contain the incident, including enabling and enforcing Multi-Factor Authentication (MFA), upgrading the DCS Microsoft Office 365 instance to 'E5' licensing for advanced security features including active Risky Login Blocking and disabling Legacy Authentication protocols. SNSW and DCS then engaged an independent forensic IT investigation to assess how many customers have been affected by the breach through analysis of the mailbox contents. The following categories of information were compromised in the data breach: Financial details (e.g., bank account details, payment cardholder number, transaction history, credit report) Tax File Numbers (TFN) Identity information (including Centrelink Reference Number (CRN), passport, driver license, birth certificate) Contact information (including home address, phone number, email address) Health information (including medical forms, patient notes, medical certificates) Other sensitive information (including sexual orientation, political opinion, religious views, racial origin, etc.) Staff/HR information (including sensitive employment information such as disciplinary matters and health information). Some further statistics on the breach include: 730 GB of data exfiltrated 3.8 million documents compromised Up to 186,000 customers whose personal information was breached 10 government agencies impacted (six in NSW and four Federal) At least three key IT systems had to be designed and deployed in response to the breach (NUIX platform, SNSW Salesforce, IDCARE portal) A total headcount of internal and external totalling 422 people were working either full-time or part-time on the response and remediation of the cyber-attack - 70 were directly involved 16 December 2020 Information Integrity Solutions Pty Ltd 17/106 OFFICIAL Background in the taskforce core team; most of the others worked on data forensic analysis and Hypercare customer support Notification is expected to be completed eight months after the first attack As Service NSW's response to this breach was ongoing at the time of this review, the full cost of its response was not known. However, it is expected to be excess of $30 million. At the time of writing, NSW Police has reported that there has not been evidence of SNSW data circulating on the Dark Web and there has not been any significant increase in scam activity (such as someone pretending to be SNSW). IDCARE reported that it was only aware of 26 cases of reported data misuse, but it is far from clear whether the reports arose from misuse of data from the SNSW breach or elsewhere. However, it is also known that cyber-crime syndicates will collect information from different sources to piece them together and exploit them over time. SNSW may not know the extent of data misuse stemming from the breach for some time, if ever. For further information related to SNSW and the data breach context, refer to Appendix B.