The state government has ordered an urgent review of the state’s TAFE cyber security systems after hackers accessed the private details of 13,000 students at North Metropolitan TAFE.
Education minister Sue Ellery told Radio 6PR the breaches occurred on August 28 and September 5 when an unauthorised person gained access to the TAFE’s IT system via remote access.
The breaches come two months after the McGowan government announced a revised digital security policy aimed at addressing weaknesses in the security of public sector IT systems repeatedly identified by the state’s Auditor General.
Ms Ellery said the hacker accessed staff and student details including names and addresses, some encrypted password files and internet protocol addresses.
“As soon as this was discovered, immediate action was taken to shut down the system and to identify sources of the breaches,” she said.
“There were some 13,000 student network accounts that were impacted.
“It’s important to know that none of the information that was accessed contained current password and log-in credentials and there is no evidence that any students’ financial or banking information was accessed.”
The second breach at the TAFE, which occurred overnight on Tuesday, was described by Ms Ellery as “unsophisticated”.
“I’m advised that all of the TAFE systems across WA have run scans. I’m advised three out of the four confirmed this morning they found nothing, I’m still waiting to hear back from the fourth,” she said.
“There’s no evidence that the data [the hackers] got has been exported, so if they’ve collected information it does appear, but they’ve not been successful, nor attempted to export it.
“I’m told it does appear to be a fairly unsophisticated effort, but nonetheless we need to be vigilant against this.”
The revised digital security policy, released on June 28, aims to help WA’s public sector protect itself against cyber threats by aligning with internationally established standards for security management systems.
There is no deadline provided for agencies to meet the standards, with the policy described as being “a progressive and evolving process” that was not expected to be immediately adopted.
WA Auditor General Colin Murphy, one day after the revised policy was announced, released a damning report showing state government agencies continued to fail to take “simple steps” to protect their IT systems.
“I continue to report the same common weaknesses year after year and yet many agencies are still not taking action,” he said.
“This is particularly frustrating given that many of the issues I’ve raised can be easily addressed – including poor password management and ensuring processes to recover data and operations in the event of an incident are kept updated.”
“The risk to agency operations and information is real and needs to be taken seriously.”
The Auditor General’s 2016 Information Systems Audit Report found only seven out of 46 agencies audited had appropriate controls to effectively support confidentiality, integrity and availability of information systems.
In February, the Community and Public Sector Union claimed more than 71,000 TAFE students’ contact information was exposed by an IT glitch.
At the time the union said the issue was picked-up by a student from the Mount Lawley campus.
The glitch, the union said, stemmed from a newly installed centralised database for TAFE, due to the recent mergers of multiple campuses.
“The TAFE mergers were a rush-job and clearly some mistakes have been made trying to centralise the IT system,” CPSU branch secretary Toni Walkington said in February.
But Dr Ruth Shean, Department of Training and Workforce Development Director General, denied there had been a security or privacy breach of the TAFE student email system.
“The Department of Training and Workforce Development is aware of one instance where an invalid street address appeared on the system and some other instances where student telephone numbers appeared,” Dr Shean said.
“The Department immediately deleted this data and restricted non-essential data fields to prevent private details being available from the system.”