At least 14,000 Super SA clients have fallen victim to the major cyber breach after names, addresses, dates of birth, phone numbers and driver’s licences were stolen more than three months ago.

Senior government lawyers are investigating if any penalties or financial “redress” can be taken against the company at the centre of the scandal, Contact 121, state parliament heard on Monday.

The company, which may be billed for victims to replace key documents such as drivers’ licences, appears to have failed to have deleted the data despite a 2019 contract having such a clause, it was claimed. Other government agencies may be involved.

MPs were initially told authorities took at least three weeks to have data removed from the “dark web”, which is a difficult to trace part of the internet.

But senior Treasury and Finance Department officials late on Monday were forced to issue an embarrassing “clarifying” statement that a threat was received three weeks before the data was leaked on the dark web.

“To be clear, the threat from the cyber threat actor was up for a period of three weeks, not the data itself,” Treasury Department chief executive Rick Persse said outside parliament.

Earlier told the Upper House’s Budget and Finance Committee that authorities believe the hacker was an foreign “threat” gang but no taxpayer-funded ransom was paid.

Admitting he felt like a “Jason Bourne” spy novel, Mr Persse, the Under Treasurer, said cyber security authorities could find no trace on either the dark web or public parts of the internet.

No further details were given on the number of victims or how the data has been used while it is unclear if the breach occurred overseas.

Super SA, a government agency, is a dedicated fund for South Australian public sector workers.

MPs heard the Department of Premier and Cabinet identified the threat on August 18 but the data was deleted three weeks later on September 8.

Mr Persse said DPC cybersecurity experts “proactively monitor the dark parts of the internet where these criminals transact”, which is how the breach was detected.

Treasury chief services officer, Scott Bayliss, revealed the data breach occurred after a criminal gang called NoEscape – that is known to blackmail hacking victims – stole an “unencrypted file”.

Mr Bayliss said there was no information on the file that suggested it was Super SA, only the name of Contact 121, which was the call centre at the centre of the scandal.

The data breach occurred when a “threat actor” targeted a call centre that had been contracted by Super SA to field inquiries affected by a separate 2019 breach.

The committee heard the 2019 data was not exposed to the dark web.

After learning Super SA data had been stolen on September 21, Mr Persse said he told Treasurer Stephen Mullighan on October 12.

“I am comfortable that our people in Treasury and Finance and in DPC are well equipped and taking this incredibly seriously,” he said.

He defended the delays in telling members.

“Without being frivolous, I think it’s not responsible for us to go out and communicate that maybe we’ve got a problem to tens of thousands of members without being able to provide any specificity whether it was all members or which cohort,” he said.

Super SA’s acting chief executive, Patrick McAvaney, added: “It was very difficult to determine just what data had been breached before we could notify members accordingly.”

He said when the threat identified potential data being compromised new controls were launched including more stringent identification checks.

The information stolen was the same data that was the subject of the previous breach.

Opposition spokeswoman, Upper House Liberal MP, Heidi Girolamo, said: “In today’s world, cyber attacks are becoming more and more frequent, and Labor’s handling of this latest major attack has South Australians worried over the safety of their personal information.”

Last week under Opposition questioning, Mr Mullighan revealed he was only told of the breach weeks later.

He said the service provider to a number of government agencies, including but not limited to Super SA, had its cybersecurity breached.

“It’s simply not good enough,” he told parliament.

Liberal MP Matt Cowdrey said he had “serious doubts” the hack would ever have been made public.

Premier Peter Malinauskas said authorities “don’t have any reason to believe it’s expanded beyond that as things currently stand” or have information any identity fraud had occurred after the data was online for a “very small moment”.

“These cyber attacks on private businesses and governments and now tragically part of the modern world,” he said.

“And we’re going to continue to invest in our preventative mechanisms to be able to mitigate those attacks and prevent them.”

Public Service Association of SA general secretary Natasha Brown has said the PSA was extremely concerned that another incident of this type has occurred.

“Public sector workers should be able to expect that their privacy and personal and financial data is protected when it is entrusted to government agencies,” she said.

“We expect the government to leave no stone unturned to find out how this breach occurred.”

More Coverage

Libs hack a mystery as cops probe ‘European gang’ theory

Andrew Hough

Landmark review puts ‘invisible threat’ next to Covid, floods

Andrew Hough