Queensland’s largest regional water supplier Sunwater says it was targeted by hackers in a cybersecurity breach that went undetected for nine months.
- 2021 Auditor General’s water audit found hackers gaining access to water supplier’s servers
- No customer or financial information was stolen during breach, auditor says
- Three of the six water authorities still had “control weaknesses” in their systems, according to the report.
It has been revealed that hackers left suspicious files on a web server to redirect visitor traffic to an online video platform last year.
Sunwater admitted the cyber breach after the Queensland Audit Office filed a report with state water authorities, which mentioned the incident but did not indicate which authority was targeted.
Following questions from the CBA, Sunwater confirmed that this was the authority affected by the violation revealed in the Audit Office report.
A Sunwater spokesperson said no financial or customer data was compromised and immediate action was taken to improve security once unauthorized access to an online content management system was detected.
âSunwater takes cybersecurity very seriously and recognizes the findings of the Queensland Audit Office report,â he said.
The Water 2021 report stated that the cyber breach occurred between August 2020 and May 2021 and involved unauthorized access to the web server of the entity that stored customer information.
The report found that the “threat actors” had targeted an older and more vulnerable version of the system.
The web server contained suspicious files which increased visitor traffic to an online video platform, according to the report.
He noted that weaknesses in the system had allowed the cyber breach to go undetected for nine months.
Six water authorities, including Seqwater, Sunwater, Urban Utilities, Unitywater, the Gladstone Area Water Board and the Mount Isa Water Board, were examined in the report, which warned of the vulnerability of information systems .
Deficiencies in internal controls, particularly with regard to information on remittance payments, were also highlighted.
The 36-page report called for immediate action to correct “ongoing security weaknesses in information systems.”
He noted that in the case of the cyber breach, steps had been taken to address the issue, including updating the software, using stronger passwords, and monitoring inbound and outbound network traffic.
The report indicates that although the audit office last year recommended that entities strengthen the security of their information systems, not all had acted to resolve the problem.
He said three of the six entities still had “control weaknesses” on June 30.
Several issues found in internal controls
The report also highlighted problems with some internal controls, finding 24 gaps in the sector.
These concerned access to information on electronic funds transfer payments, the security of vendor and employee information and, in one case, gaps in the review of the effectiveness of tangible capital assets.
One authority was found to have three shortcomings when it comes to managing user access to financial, billing and payroll systems, the report notes.
He said entities should only grant employees minimum access to perform their jobs.
Under the headline âFurther action needs to be taken,â the report states that cyber attacks pose a risk with the changes taking place in entities’ work environments due to COVID-19.
Responses to the issues have been received from the entities involved to correct the issues raised, the report says.
The report also noted the liabilities of the South East Queensland flood class action lawsuit in 2011 when flood victims sued the state government, Sunwater and Seqwater.
Seqwater was no longer liable for the class action damages after successfully appealing the court judgment, according to the report.
However, Sunwater’s settlement was $ 80 million below estimates in its 2019-20 report, the auditor found.
In this fiscal year, Sunwater estimated its flood liability to be $ 330 million.
The report states that the profits of the water sector increased by $ 234.7 million for the fiscal year 2020 to 2021.
The sector’s total shareholder return was $ 497.2 million, made up of dividends paid to Queensland government shareholders, a portion of water distributor-retailer profits paid to local governments, and tax equivalents. on income paid by business operations in government instead of tax.
Another issue pointed out by the report was that Queensland was affected by extreme weather conditions with 34 tips fully declared in drought.
He also noted that the state water recycling system that treated wastewater effluent from Brisbane and Ipswich at three water treatment plants remained in “service and maintenance” mode. which means that it was not used at full capacity during the last fiscal year.
However, purified water recycled from the perimeter was used in power plants instead of water from dams.