NSW Education had an unknown vulnerability in the hacked system – Security
Last year, hackers exploited an unknown vulnerability to gain access to a NSW Department of Education system and stole the names and email addresses of an undisclosed number of people.
The NSW Department of Education took nearly seven months to complete an “extremely complex and time-consuming” forensic examination of its systems and the attack, which took place in early July 2021.
It is unclear which specific education system was initially compromised to grant the attackers access.
However, the ministry has now revealed that the system contains “a vulnerability that [it] didn’t know.”
Its security team also observed the attack in progress and decided to stop the data exfiltration.
“The department’s IT and security teams detected the attack while it was in progress and stopped the data transfer,” he said in a recently posted FAQ.
However, the attackers were still able to get away with the names and addresses of an unknown number of people, which Education said it had started notifying.
Preliminary investigations in the weeks following the attack indicated that “some information, including contact details, may have been compromised”.
Education Secretary Georgina Harrisson said no passwords, bank records, credit or debit card numbers, financial records, government IDs or health records were accessed.
“Based on this investigation, the data collected during the attack was limited to personal information such as names and email addresses,” Harrisson said.
“Thanks to the robust IT measures required of all government departments in NSW, [Education] was able to spot the attack in progress and take immediate action to block it.
The ministry declined to reveal how many people were caught in the incident.
The attack forced Education to disable several computer systems for days to protect the data of other students and staff.
Online portals used by both staff and students, staff email and staff intranet were all impacted, but were back up and running for the start of the school term.
The department continues to work with the Australian Center for Cyber Security, the NSW Information and Privacy Commissioner and the NSW Police to investigate the attack.
Those affected by the incident can access assistance through a dedicated call center, which has been set up by the department to provide assistance.
More than 94,000 teachers and other staff are employed by the department, according to a Snapshot 2021.
Compared to attacks on other NSW government entities, Service NSW took five months to begin notifying customers affected by a phishing attack on staff.
This attack exposed the personal information of 103,000 people, down from initial estimates of 186,000.