The Australian National Audit Office (ANAO) recently stated that Australia Post has failed to manage cyber risks and implement a proper cybersecurity framework, highlighting weaknesses in its risk management activities.
Australia Post is a government-owned corporation that provides postal and retail services, parcel delivery and shipment, domestic and international transaction, payment services, identity verification for passports, and licenses and proof of age cards services in Australia. The company also offers data management and logistics services for public and private businesses in the country.
In its audit report, Cyber Resilience of Government Business Enterprise and Corporate Commonwealth Entities, ANAO recommended Australia Post to implement robust cybersecurity improvement measures and key controls across all its critical assets.
“Australia Post has not fully implemented controls in line with either the Top Four or the four non-mandatory strategies in the Essential Eight,” ANAO said in the report. “Despite the importance of cybersecurity in safeguarding the Australian government’s digital information, there has been ongoing low levels of cyber resilience of non-corporate Commonwealth entities and weaknesses in the regulatory framework for ensuring compliance with mandatory cybersecurity strategies.”
The ANAO stated the Australia Post has failed to fulfil the Essential Eight, a government-mandated mitigation strategies, which includes application whitelisting, asks entities to patch applications and operating systems, disable Office macros, strengthen user applications, restrict administrative privileges, set up multi-factor authentication, and conduct daily backups.
Australia Post has not met the requirements for ICT controls in its framework, having not implemented all specified key controls, and as a result has rated the overall cyber risk as significantly above its defined tolerance level,” ANAO added.
Recently, the Australian National University discovered a major data breach that affected students’ and University’s sensitive information. According to the University’s Vice Chancellor Brian Schmidt, unknown cybercriminals attacked University’s systems and accessed personal information late in 2018, which was recently discovered by the University authorities on May 17, 2019. It’s believed that the hackers had unauthorized access to 19 years of significant amounts of information related to personal staff, students, and visitors.
The exposed information included names, addresses, dates of birth, phone numbers, personal email addresses and emergency contact details, tax file numbers, payroll information, bank account details, passport details, and student academic records, according to Schmidt.
However, Schmidt clarified that the data like credit card details, travel information, medical records, police checks, workers’ compensation, vehicle registration numbers, and some performance records were not affected by the incident.