And a NSW Government whistleblower told The Daily Telegraph that most departments and agencies are operating on legacy computer systems from 2008 and would have no idea if they had been breached.

The Auditor General’s latest report into cyber security warned that attacks were increasing and hackers were using more “advanced hacking tools, including artificial intelligence” to gain access to personal data.

But despite this the Cyber Security Insights 2025 Audit report found that 69 per cent of NSW Government agencies did not even have the basic mandatory network and cyber security training protections in place.

“Most agencies do not fully meet the requirements of the NSW Cyber Security Policy,” the report said. “A lack of compliance in this domain may increase the likelihood of a cyber security incident and related impacts.”

The report said last year “152 significant, high and extreme residual cyber security risks were reported by 27 public sector agencies.”

Of those 152 risks reported, 28 had fixes that were either “largely or completely ineffective” and 60 did not have a timeline that would see them reduced “to an acceptable level.”

It said government agencies blamed the failures on ongoing security upgrades being installed and “budget constraints”.

The revelations come after a “vishing” attack on a Qantas call centre in Manila last week saw the personal information of six million customers compromised.

The NSW Government whistleblower said that hack increased the risk to government systems because staffers used their work emails to communicate with Qantas.

“Systems in the government have not been upgraded for decades. NSW government departments are severely vulnerable. They are working on old servers from 2008,” the whistleblower said.

The audit report also found a glaring blind-spot in the government cyber security network through external contractors.

“Agencies and Cyber Security NSW may not be aware of any noncompliance against the Cyber Security Policy where the cyber security control practice is provided by third parties,” it said.

Cyber security expert James Sinclair, chief executive of Finstead Risk Solutions, said the 2022 hack on Optus which compromised the data of 10 million customers illustrated the ambition of cyber crooks.

“All business and government is being targeted,” he said. “They offer a whale of a return to a hacker.

“Everyone is wide open and often the weakest link is something very basic and can come down to someone falling for a fake phone call.”

Customer Service and Digital Government Minister Jihad Dib said Cyber Security NSW, which co-ordinates government digital safety, had “strengthened requirements” for government agencies to meet basic security settings.

“This work continues,” he said.

“In this year’s Budget, the Minns Labor Government committed $87.7 million across four years, providing the agency with budget certainty for the first time since its establishment.”

Marie Patane, NSW Chief Cyber Security Officer, said the cash would be used to bring in a “more sophisticated cyber security governance model” that all arms of government would be expected to follow.

“It is the responsibility of all agencies to meet the mandatory requirements as set out in the Government’s cyber security policy. Cyber Security NSW assists agencies in achieving compliance where possible,” she said.

Do you have a story for The Daily Telegraph? Message 0481 056 618 or email tips@dailytelegraph.com.au

More Coverage

‘Crisis of fairness’: The worsening problem in NSW schools

Eilidh Sproul-Mellis

Cops union slams lazy magistrates over new bail courts regime

Josh Hanrahan