Recently, Sunwater, Queensland’s largest regional water supplier, disclosed that it was targeted by hackers. Read on to know more about it…
Sunwater, Queensland’s largest regional water supplier, revealed that it was targeted by hackers which was undetected in a nine-month-long cyberattack.
Last year, it was discovered that hackers placed suspicious files on a webserver in order to reroute visitor traffic to an online video platform.
After a Queensland Audit Office report investigating the state’s water authorities was tabled, Sunwater admitted the cyber breach. The report noted the cyber incident but did not specify which authority was targeted.
Audit Report on the Cyberattack
Sunwater disclosed that it was the authority affected by the breach highlighted in the Audit Office’s report in response to enquiries from the ABC media.
It said “Sunwater takes cyber security very seriously and acknowledges the findings in the Queensland Audit Office report,”
The cyber breach occurred between August 2020 and May 2021, according to the Water 2021 report, and involved unauthorised access to the entity’s web server, which stored customer information.
“Threat actors,” according to the report, targeted an older, more vulnerable version of the system.
According to the report, the webserver contained suspicious files that increased visitor traffic to an online video platform.
The cyber breach went unnoticed for nine months due to system flaws, according to the report.
The report examined at six water authorities, including Seqwater, Sunwater, Urban utilities, Unitywater, Gladstone Area Water Board, and Mount Isa Water Board, and warned of vulnerabilities in information systems.
Internal control flaws, such as those involving fund transfer payment information, were also discovered.
The 36-page report recommended that “ongoing security weaknesses in information systems” be addressed immediately.
It was observed that in the instance of the cyber breach, steps were made to address the issues, including updating softwares, the use of stronger passwords, and the monitoring of incoming and outgoing network traffic.
Despite the audit office’s recommendation last year that authorities strengthening the security of their information systems, not all had taken the action, according to the report.
The report noted that, on June 30, three of the six authorities still had “control weakness”.
Multi-Issues in Internal Controls
The report also identified issues with internal controls, identifying 24 flaws in the sector.
These issues included electronic funds transfer payment information, security of supplier and employee information, and in one case, deficiencies in a review of the effectiveness of property, plant and equipment.
The report noted that one authority had three inadequacies in managing user access across financial, invoicing, and payroll systems.
It said that entities should only assign staff the minimum access they need to do their duties.
The report stated that the entities concerned had responded to the issues and were working to resolve them.