Personal information and ACT government data may have been accessed through a cyber security breach.

A security breach affecting Barracuda, an email gateway system that supports some ACT Government ICT systems, is currently the focus of the ACT Government's response.

On May 24, Barracuda discovered a flaw in their Email Security Gateway and published a public vulnerability notification.

In a statement at the time, Barracuda stated, "Based on our investigation to date, we've identified that the vulnerability resulted in unauthorised access to a subset of email gateway appliances."

The ACT Cyber Security Centre learned about the public notification while conducting routine cyber security checks and looked into it. The ACT Cyber Security Centre immediately rebuilt the impacted Barracuda system after the potential vulnerability was identified in order to close any remaining gaps.

A breach has now been confirmed by the investigation, and a harms assessment is in progress to fully understand the impact on our systems and, more importantly, the data that may have been accessed.

The ACT Cyber Security Centre has established the Cyber Incident Management Team and is collaborating on the ongoing investigation with the Australian Cyber Security Centre and Barracuda Networks.

Everyone in the community should be reminded by this incident to be careful with their personal cyber security, including keeping an eye on their personal information online for any unusual activity.In the wake of a data breach, an investigation is being conducted to determine how many personal and official records may have been accessed.

Some of the ICT systems used by the ACT Government are supported by the email gateway system Barracuda, which on May 24 posted a notice about a breach on its website.

In essence, this made software-protected data accessible.

Chief Digital Officer Bettina Konti said, "This isn't an attack on the ACT Government; this is an attack on Barracuda systems. It is not a virus or malware; rather, it was a vulnerability that allowed information to be exposed or made available to a threat actor.

The affected Barracuda system was completely rebuilt after the ACT Cyber Security Centre learned about the notice in order to close any remaining vulnerabilities.

Data is secure from unauthorised access, but it's not clear how much harm has already been done.

"We are some way through [investigation], which is what made us think that there's a likelihood here we may have had some personal information involved, but we need to be able to complete the harms assessment to be clear," said Ms. Konti.

"The work that we need to do now is to understand what information was passed through that system, what it was connected to, and what information is in there that may have been able to be accessed during the period the vulnerability existed."

It is unknown how much data was exposed and how much data was accessed because several government directorates, including Access Canberra, health, and education, are connected through the system.

Given that Barracuda first became aware of vulnerabilities in its system back in October 2022, it is also possible that data going back further than 24 May may have been accessed.

In order to try and understand what may have been accessed and whether anything has actually been taken, Ms. Konti said, "we need to trawl through more data if it goes back as far as October."

Chris Steel, a special minister of state for digital and data, said that although the person or group responsible for the vulnerability had not been found, there was a "strong likelihood" of a breach.

He stated, "At this time, we are not aware of any information that may have been accessed on any systems used by the ACT Government and made available on the dark web."

As far as we are aware, neither Barracuda nor ourselves have had contact with the threat actor directly.

Although there has not yet been any proof that the personal information of Canberrans was accessed, he explained that this was under investigation and it was possible that it might have come from automated emails.

"We do believe there is a likelihood that some information could have been accessed through the vulnerability," the man said. "However, the kind of information we're talking about is probably going to come from a subset of automated emails related to affected government systems."

This includes the case where someone filled out an online form and an automated email containing some of the data they had entered was sent back to them.

The Australian Cyber Security Centre, Barracuda Networks, and the ACT Cyber Security Centre are collaborating on the ongoing investigation.

The ACT Government has agreed to provide Access Canberra with weekly updates on the incident.

Before you go..

You can get RedWires AU for free right now. Your donation, no matter how big or small, will help us keep doing honest journalism.

The readers of Redwires AU are the engine that drives our publication. Add your support to the effort to create a sustainable future for journalism that does not make compromises in the AU.

In the world we live in now, accurate and thorough reporting and analysis are becoming more and more important. To stop the spread of false information, it's very important that everyone in Australia has access to good reporting.

The Redwires AU contributes to society by opening up access to information and resources for all people, rather than just a select few.

Our only goal is to educate the general public more thoroughly. If you believe in what we're trying to accomplish here, please consider making a contribution right away to ensure our success in the years to come.

Upgrade your subscription to get the most out of it. Join the growing number of people around the world who believe in the power of independent media.