The government has admitted the breach and how it has been handled is “simply not good enough”.

Treasurer Stephen Mullighan confirmed the incident in response to a question from the Opposition in parliament on Wednesday.

“I am aware of a situation where a service provider to a number of government agencies, including but not limited to Super SA, had its cybersecurity breached and data was taken from that firm,” he said.

He said the breach had occurred nearly two months ago – but he and the affected members have only just been told.

“I was only advised … late last week,” he said.

“Now, Treasury is not the lead agency for cybersecurity management in government but, regardless, as a minister responsible for a government agency that had its data potentially breached, to not be told for that length of time is quite frankly unacceptable.

“More to the point, it’s unacceptable to the people who have had their information accessed or information breached or who have had their livelihoods impacted.”

Super SA, a government agency, is a dedicated fund for public sector workers in South Australia.

The data breach occurred when a “threat actor” targeted a call centre that had been contracted by Super SA to field inquiries from up to 14,000 members affected by a separate 2019 breach.

The information stolen this time was the same data that was the subject of the previous breach.

Mr Mullighan said it is believed that members’ information has not been publicly accessed as a result of the most recent attack.

In a statement to members this week, Super SA said “a small cohort of members” may have been impacted by a cyber security incident.

“We are taking an abundance of caution to secure member accounts in the acknowledgment that the data has been breached, however, at this stage it is still unknown if any of the Super SA data has been accessed,” it said.

Mr Mullighan said an investigation was underway into why the data had been kept by the call centre for so long.

He said he was not convinced that the response from government agencies and the call centre operator was appropriately timely and thorough.

The Department of Premier and Cabinet was first made aware of the breach on August 18 – the first government agency to be notified.

“It’s simply not good enough,” he told parliament.

“This is not the first time this has happened in government … and the way in which government responds to this needs to improve because it is letting, on these sorts of occasions, thousands, sometimes many thousands of South Australians down, and that is simply not good enough.”

Mr Mullighan said he would report back to the parliament on how many members have been affected, and what kind of data has been stolen.

Public Service Association of SA general secretary Natasha Brown said the PSA was extremely concerned that another incident of this type has occurred.

“Public sector workers should be able to expect that their privacy and personal and financial data is protected when it is entrusted to government agencies,” she said.

“We expect the government to leave no stone unturned to find out how this breach occurred; to do everything possible to minimise the impact of the breach on our members; and to take every possible action to ensure that it does not happen again.”

Opposition treasury spokesman Matt Cowdrey said the government’s delay in making information about the cyber-attack public was “quite frankly astounding”.

“It’s completely unacceptable that Peter Malinauskas and Stephen Mullighan were advised about this cyber-attack last week, but kept it secret and haven’t done a thing to assure South Australians that their data is safe,” he said.

Mr Mullighan said Mr Cowdrey’s stance was hypocritical because the former Liberal government did not make public the initial 2019 breach on Super SA.

In December 2021, a major ransomware attack on Frontier Software led to theft of the personal details of more than 90,000 South Australian public servants.

More Coverage

Sensitive data leaked as law firm cyber attack hits SA government

Mitch Mott

Police reveal how they caught SA’s biggest online scammers

Mitch Mott