SA Government data breach illustrates risks of outsourcing and growing cyber threat

South Australia’s normally placid politics were thrown into further turmoil last Friday with the revelation that the personal details of up to 80,000 public servants, including home addresses, tax file numbers, bank account details and super contributions were compromised following a ransomware attack on the government’s external payroll software provider, Frontier Software.

The attack appears to have been perpetrated by the ransomware outfit Conti, which uploaded details of a successful heist to its data leak portal (an example of a so-called “double extortion” attack, so named because the attacker threatens the public release of the purloined data) on November 16th closely matching those described by Frontier Software and the SA Government.

Conti, which according to the Australian Cyber Security Centre (ACSC) is associated with Russian-speaking cybercrime actors, has been active since it was first detected in early 2020, successfully infiltrating organisations including Ireland’s Department of Health.

SA Treasurer Rob Lucas has conceded that the Frontier Software breach is likely to end up being the most significant in the state’s history. But the truth is that was not even the only significant ransomware attack perpetrated by Conti on an Australian target in November 2021. The group has also claimed responsibility for an attack in late November on the Queensland  Government-owned energy company CS Energy (not that it stopped News Corp from promptly accusing Chinese hackers), while in its profile of Conti the ACSC states they are “aware of multiple instances of Australian organisations [that] have been impacted by Conti ransomware in November and December 2021”.

The Frontier breach is the latest in a growing number of ransomware attacks targeting Australian governments and businesses, as well as the latest chapter of a by-now familiar story of the outsourcing of important government functions and an insufficient understanding of the risks created.

As news outlets such as Crikey have detailed, the COVID-19 pandemic has provided governments with all the justification they need to dramatically accelerate the outsourcing of work to private providers (the Big 4 accountancy firms chief among them). But beyond the outsourcing of policy work, there is also a vast hidden network of back-office, “shared services” systems which have not been handled directly by state governments for years, despite housing the private information of thousands of public sector workers. The South Australian Government has relied on Frontier Software to manage payroll services since 2001 – before Mike Rann became Premier.

In the good times, this can reduce operating costs. But it has huge downsides. Evidence suggests that the breach of Frontier Software occurred on or around November 16th. Why, then, was the SA Government apparently not informed until a fortnight ago? (In fact, as of November 18th, Frontier was saying that there was “no evidence of any customer data being exfiltrated or stolen” – which may have been technically true, but was definitely not substantively true.) Secondly, there is the asymmetry of risks: the SA Government was one of approximately 1,500 Frontier Software clients. I doubt South Australia’s public servants (full disclosure: I used to be one, and a handful of my friends still are) appreciate the fact that they seemingly don’t rank very highly on Frontier’s list of priorities.

Whether perpetrated by state actors or lone wolf black hats, ransomware attacks are a large and growing threat facing Australian governments and businesses. According to the Australian Cyber Security Centre (ACSC), there has been an increase in the number of such attacks since 2017. Yet, warns Michael Sentonas, Chief Technology Officer at CrowdStrike, the threat is not being taken seriously enough.

Governments and energy companies are not the only organisations at risk of ransomware attacks. The Australian National University was targeted by a huge cyberattack by what is believed to be a state-affiliated actor in late 2018, while in its October Financial Stability Review the Reserve Bank warned that it is “almost inevitable that at some point the defences of a significant financial institution will be breached.”

It’s clear that all levels of government in Australia must invest in their native cybersecurity capabilities – as should all prominent businesses operating in strategically vital sectors of our economy such as banking, energy, mining, higher education, and defence.

But neither SA Premier Steven Marshall nor Opposition Leader Peter Malinauskas are likely to be consumed by those thoughts today.

South Australians go to the polls on March 19th. The government, already reeling from a political crisis principally of its own making, has now been confronted with another blow to its competence. As for the Opposition, it’s not hard to imagine them cutting a campaign ad – complete with ominous voice-over – asking “Can you trust this lot to keep your data safe?” It might just prove an election-winning law-and-order pitch for the digital age.