Parliament House computer network hacked in a “security incident”
Peter Dutton said the government was taking the attempted cyber-attack on Parliament “very seriously” as authorities investigate if China had a pivotal role in the “sophisticated” hack.
Hacking
Don't miss out on the headlines from Hacking. Followed categories will be added to My News.
Home Affairs Minister Peter Dutton says the government will work closely with the Australian Electoral Commission in the lead-up to the next election after an attempted cyber-attack on the federal parliament’s computer network.
Mr Dutton said the government was taking the attempted hack on Thursday night “very seriously” and that an investigation was underway.
When asked how the government was strengthening cybersecurity with the upcoming federal election, Mr Dutton said his department was working with the AEC to ensure Australia’s democratic processes were not comprised by foreign interference.
“Obviously we’ve seen what’s happened in the United States and other democracies,” Mr Dutton said at Brisbane’s AFP headquarters on Friday.
“Australians value the democratic rule of law in our country and we don’t accept that any process is interfered with.
“The government has a process lead by the Australian Electoral Commission and Home Affairs is one of the agencies involved where they are looking at these very issues.”
The Minister would not confirm if a foreign government was linked to the cyber-attack and what data had potentially been compromised.
“It’s the nature of these cyber-attacks that a lot of investigative work needs to be undertaken before attribution can take place,” he said.
“But Australia, like any democracy, values very much our sovereignty and our ability to operate within the law. We expect it both domestically and internationally.”
CHINA PROBED AS HACK FORCES PASSWORD CHANGE
An urgent investigation is underway after Parliament House’s computer network was hacked in a “security incident” overnight and this morning.
Security industry sources told AAP it was possible China could be behind the latest attack.
The attack has been described as “sophisticated”.
All users of the parliamentary computing network, including MPs, senators and staffers, have been required to change their passwords.
It comes after News Corp reported cyber criminals have stolen the private details of millions of Australians, with new data revealing Aussies have been hit by more than 800 data breaches that could cause “serious harm” in the past year.
The Australian Signals Directorate, one of the nation’s security agencies, has confirmed it is working with the Department of Parliamentary Services to investigate the incident.
A spokeswoman said the ASD and its Australian Cyber Security Centre were working to understand “the full extent of this network compromise”.
“Meanwhile, the necessary steps are being taken to mitigate the compromise and prevent any harm,” she said.
“At this early stage our immediate focus is on securing the network and protecting its users.”
The spokeswoman would not comment on reports agencies were investigating whether a foreign power was behind the attack.
“Proper and accurate attribution of a cyber incident takes time,” she said.
Chinese intelligence agencies were behind a previous cyber attack on Parliament, where MPs emails may have been read, in 2011.
In a statement today, Speaker Tony Smith and Senate President Scott Ryan said: “There is no evidence that any data has been accessed or taken at this time, however this will remain subject to ongoing investigation.”
“Similarly, we have no evidence that this is an attempt to influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes.”
The speaker added that there was “no guaranteed approach to cyber security” but the department was worked with expert agencies to detect and remediate any threats quickly.
Opposition leader Bill Shorten has been briefed on the hack but would not comment on who might be behind it.
Mr Shorten said the hack was a “wake-up call” for Australians, and added that Labor would invest more in cyber security for Australian medium and small businesses if elected.
“I think the Government needs to ramp up the priority it’s paying on cyber security. Just because you can’t see who your enemy is because they’re on the internet doesn’t mean they’re not your enemy,” he said.
MILLIONS HIT IN 812 DATA BREACHES
Passport numbers, bank details, credit card or tax file numbers, drivers licences, health information and contact details were lost or stolen in breaches that are occurring at a rate of at least two per day, Office of the Australian Information Commissioner figures show.
A staggering number of people — between one to 10 million — were exposed to serious harm in a single data breach in late 2018, while a whopping 64 per cent of the 262 data breaches in the December quarter were the result of hackers conducting “malicious or criminal attacks”.
Phishing, malware, ransomware and “brute-force” attacks were some of the key tactics hackers used, along with using compromised or stolen credentials, social engineering or impersonation.
Rogue employees or an “insider threat” were responsible in 12 per cent of criminal data breach cases.
The number of data breaches in 2018 was a massive seven times higher than in 2017, when only 114 breaches were reported, thanks to the government introducing mandatory reporting in February.
But experts are calling for the law to be reviewed now the extent of the problem has been revealed, including considering whether Australia should adopt fines for companies which allow a data breach to occur through carelessness.
Under the scheme, companies or government agencies face fines of up to $2.1 million if they do not report within 30 days when customers’ personal information is lost, stolen or accessed by an unauthorised third party.
Even then, companies are only required to report if the customer could be exposed to “serious harm” through the breach.
Shadow Attorney-General Mark Dreyfus stopped short of saying Labor would launch a review but told News Corp Australia the party would “scrutinise” the legislation if it won government to “ensure it is working as intended”.
He said it was encouraging data breaches were being reported but added “the sheer volume is obviously concerning”.
Digital security expert Troy Hunt, founder of the globally-renowned website Have I Been Pwned?, said a full review was needed, particularly of the 30-day period companies have to report, the requirement that there must be a risk of serious harm, and that mandatory reporting is required only of companies with turnovers of more than $3 million annually.
Companies in the European Union have just 72 hours to report.
Mr Hunt also said fines should also be launched for companies which allowed breaches to occur through carelessness, like in the UK where authorities slapped telco TalkTalk with a £400,000 ($A728,000) fine after an investigation found hackers were able to access systems “with ease” and take advantage of “technical weaknesses”
“There needs to be some sort of disincentive for organisations to have these incidents,” Mr Hunt said.
“Without some sort of regulatory penalty, it’s hard to see where that is, other than their own fear of reputation damage.”
University of NSW cyber director Nigel Phair also called for a review to examine the current laws as well as the OAIC’s resources and capacity to investigate breaches.
“This should include trends with breach notification, what organisations are doing to fulfil the spirit of the legislation and is the reporting template sufficiently granular to enable accurate reporting,” he said.
“We also need more granular reporting from the OAIC regarding industry sectors where breaches occur, the number of investigations commenced and the outcomes, including any fines and/or enforceable undertakings.”
Originally published as Parliament House computer network hacked in a “security incident”