The Super SA data hack impacted thousands but took two months to come to light. Here’s what we know – ABC News
“It’s simply not good enough.”
That’s how South Australian treasurer Stephen Mullighan reacted in parliament on Wednesday when he was asked about a cyber security breach involving government superannuation provider Super SA.
Information linked to more than 14,000 members was accessed by hackers about two months ago.
But Mr Mullighan said he only found out about the incident less than a fortnight ago.
It’s the second time in less than two years that private data from a state government agency, held by a third-party firm, has been illegally accessed.
In November 2021, hackers hit payroll provider Frontier Software, impacting more than 90,000 public servants.
Here’s what we know about the latest cyber security breach so far.
Cyber attack related to 2019 breach
The government said the most recent security breach stemmed from a previous cyber attack involving Super SA in November 2019.
Data pertaining to 14,011 Super SA members was accessed during the hack.
To help respond to members caught up in the incident, Super SA hired the services of a call centre — Adelaide-based company Contact 121 — in 2020.
After its contract with Super SA ended, the government said, Contact 121 kept data about the members and about two months ago that information was accessed.
The government said Super SA became aware of the latest cyber security incident on September 1 this year, but it didn’t receive confirmation that a breach had occurred until October 4.
It said all members who were implicated in the 2019 cyber breach were also impacted by this latest attack.
Mr Mullighan told parliament last week the Department of the Premier and Cabinet was informed of the latest cyber breach on August 18, but he was only told on Thursday, October 12.
“Government agencies need to do a much, much better job at firstly, trying to insulate themselves as best they can against these attacks in the first place, but secondly respond to them in a timely, thorough and appropriate way,” he said on Wednesday.
Government still investigating breach
Mr Mullighan said the government was investigating why Contact 121 had retained Super SA members’ data on its systems.
“That raises … a series of further questions — what requirements are there for these agencies to not continue holding government data on their ICT systems after they complete doing work for government?” he told parliament on Wednesday.
“It is absolutely clear that the way in which these incidents have been managed is not good enough because it’s causing the exposure of sensitive South Australians’ data to be exposed to illegal access.”
On Thursday, Mr Mullighan told parliament the government no longer used Contact 121’s services.
“We are unaware of other government agencies using them post-2020,” he said.
“The advice I have is that we are not aware of government agencies continuing to use this company to date.”
Meanwhile, Super SA told its members on Monday that it was taking “an abundance of caution to secure member accounts”.
“At this stage it is still unknown if any of the Super SA data has been accessed.”
ABC News has contacted Contact 121 for comment.
Experts call for stronger data protection
Adelaide cyber security lawyer Darren Kruse said companies in South Australia and across the country were not legally required to delete client data once they no longer had a practical use for it.
“Obviously they have a duty of care to hold information securely and safely,” he said.
“But there’s no specific laws about curation of data or the method for holding it.”
Mr Kruse said the SA government had published a discretionary set of guidelines outlining how government agency data is collected, used, transmitted and managed, but he described it as “out of date”, having been authored in 2018.
“The data breach problem is not going away,” he said.
Macquarie University cyber security studies expert Jeff Foster told ABC Regional Drive it could take “quite a while” for companies impacted by breaches to find out what information had been compromised.
“In this case with South Australian Super we don’t actually know what was taken or if any personal-identifying information was taken at all,” Dr Foster said.
“It can be extremely difficult to figure out exactly what was stolen in a breach, what was accessed and how it was accessed.”
Opposition spokesperson Heidi Girolamo said it’s important there’s investment from the government when it comes to protecting data from hackers and that policies “always need constant review and improvement”.
“Clearly after this breach that we are seeing now it does highlight gaps that need to be addressed,” she said.
“It is an area that is changing every single day.
“It’s an area of focus right across the private sector and I think the public sector needs to ensure that they have the right systems in place.”
This content was originally published here.