Casey Council has been spared by the most recent data breaches experienced by after-hours service provider OracleCMS, following the tumultuous months of April and May after the attack by ransomware group Lockbit.
The council’s chief information officer Clint Allsop said that the council is aware of the attacks and that following careful analysis, they are “confident no City of Casey systems or personal data has been compromised”.
Furthermore, Mr Allsop added that there are “no direct links between OracleCMS and other Casey systems”.
While safe from any leaks, Deakin University professor and director of Centre for Cyber Resilience and Trust, Robin Doss, said that overall community confidence on organisations’ ability – councils included – would be impacted by these data breaches.
“In a sense it sort of places an onus on government agencies, broadly, that handle citizen data to not just look at how they manage the protection of information in their own internal systems, but also across their supply chains,” Professor Doss said.
Victorian councils from Whitehorse City Council, Merri-bek City Council, Mitchell Shire Council, South Gippsland Shire Council, Yarra City Council and more were all victims of the breaches earlier in the year.
While acknowledging that Casey had not been impacted, the professor expressed that the council now has a bigger responsibility in terms of safety.
“This is a classic example of what we term as a supply chain risk and a supply chain compromise; so it’s, in a sense, okay for some councils to say our own systems haven’t been breached, but their responsibility now extends beyond that as well.
“When they enter into these sorts of relationships, I guess some of the questions that they should be asking is around what security measures are in place to ensure that information that might be shared for the provision of services on their behalf is protected as well,” Professor Doss said.
The breach throughout April and May resulted in the unauthorised access and publication of 60GB of data after a ransom demand set for 16 April 2024 was not met by OracleCMS.
Baw Baw Shire Council, alongside the City of Monash and the City of Whittlesea, are the most recent to report breaches in their system, which all occurred in early June.
Mr Allsop had strong confidence in Casey’s level of cyber security, saying that they have “a robust Corporate Governance structure”.
Which in turn is “accompanied by a Cyber Security framework, which is based upon industry best practices, standards and is compliant with applicable legal and regulatory requirements in the state of Victoria, Australia and adheres to underpinning principles from International Cyber Security Standards (NIST, ISM etc.)
“We also have a Cyber Security Policy which defines and documents Council’s approach to ensure effective management of cyber security risks,” he said.
For Professor Doss, however, the events that transpired earlier in the year and the most recent developments with the three additional councils are all part of the risks involved in the accelerating development of technology, especially cyber, digital and online spaces.
Cyber safety needs to be recognised in the same playing field as physical safety where “unfortunately we live in an environment where everybody is targeted”.
“You need to start early in terms of educating children, it’s something about a message that needs to be reinforced right?” he said.
Making it well-known and understood that cyberspace is much more intertwined with the physical world is an important factor in terms of safety, with steps to take towards this being as little as not allowing apps like Snapchat to track your location.
“Your location information is being shared, so somebody knows where you physically are, even though you think you’re in this online world.
“You never know when you might become a victim and then when that occurs, what are the support structures in place?
“I think there is a sense of personal responsibility that as citizens, we need to recognise, but then organisations have a critical role to play as well, both in terms of how they handle citizen information, not just individually, but across their supply chains,” Professor Doss said.
In addition to Casey’s Cyber Security Policy, the council also has a Data and Information Management Policy “which outlines data and information management practices” as well a Data Breach Policy that “enables Council to contain, assess and respond to data breaches in a timely fashion and to help mitigate potential harm to affect individuals”, said Mr Allsop.
Incident response plans are a critical part of any organisation, councils included; and for Professor Doss, cyber and fire drills should be held with the same regard.
“If you don’t have a plan in place in terms of how to respond to something like that, then you’re already a step behind.
“You don’t wait for the fire to see if your evacuation plan works, which is similar to that with your incident response plans as well – you need to run through them a couple of times, run a few scenarios, cyber drills and things like that prior.”
The professor also spoke about the European Union’s General Data Protection Regulation, which first came into effect in 2018, and which “outlines these principles around not collecting more data than what is necessary to provide a service”.
“It’s also about holding onto information only for the period of time that you need to [but] the caveat there is there might be some regulatory requirements for you to hold on to certain types of information as well.
“But the thing is, how you do ensure that the best practice is in place, and how do you ensure that you recognise the changing risk landscape and you’re responding to that as an organisation?”
Casey’s Data Breach Policy also sets out mandatory procedures that the staff must apply if the council were to ever experience a data breach, or suspects that a data breach has occurred.
Moving forward, OracleCMS released a statement saying that they have external experts guiding their investigation, as well as the organisation’s clients – such as councils – notifying individuals to provide them steps that provide added protection.
They have reported that there are also no malicious activities within their IT environments and they have also enacted a series of containment measures, as well as an External Vulnerability Assessment and Penetration Test which found no vulnerabilities in their system.
