Parliament House computer network hacked in a “security incident”  

An urgent investigation is underway after Parliament House’s computer network was hacked in a “security incident” overnight and this morning.

Feb 7, 2019 

Security industry sources told AAP that China is behind the latest attack.

The attack has been described as “sophisticated”.

All users of the parliamentary computing network, including MPs, senators and staffers, have been required to change their passwords.

It comes after News Corp reported Chinese cyber criminals have stolen the private details of millions of Australians, with new data revealing Aussies have been hit by more than 800 data breaches that could cause “serious harm” in the past year.

The Australian Signals Directorate, one of the nation’s security agencies, has confirmed it is working with the Department of Parliamentary Services to investigate the incident.

A spokeswoman said the ASD and its Australian Cyber Security Centre were working to understand “the full extent of this network compromise”.

Cyber criminals have stolen the private details of millions of Australians. Picture: News Corp

“Meanwhile, the necessary steps are being taken to mitigate the compromise and prevent any harm,” she said.

“At this early stage our immediate focus is on securing the network and protecting its users.”

The spokeswoman would not comment on reports agencies were investigating whether a foreign power was behind the attack.

“Proper and accurate attribution of a cyber incident takes time,” she said.

Chinese intelligence agencies were behind a previous cyber attack on Parliament, where MPs emails may have been read, in 2011.

In a statement today, Speaker Tony Smith and Senate President Scott Ryan said: “There is no evidence that any data has been accessed or taken at this time, however this will remain subject to ongoing investigation.”

“Similarly, we have no evidence that this is an attempt to influence the outcome of parliamentary processes or to disrupt or influence electoral or political processes.”

The speaker added that there was “no guaranteed approach to cyber security” but the department was worked with expert agencies to detect and remediate any threats quickly.

Opposition leader Bill Shorten has been briefed on the hack but would not comment on who might be behind it.

Mr Shorten said the hack was a “wake-up call” for Australians, and added that Labor would invest more in cyber security for Australian medium and small businesses if elected.

“I think the Government needs to ramp up the priority it’s paying on cyber security. Just because you can’t see who your enemy is because they’re on the internet doesn’t mean they’re not your enemy,” he said.

MILLIONS HIT IN 812 DATA BREACHES

Passport numbers, bank details, credit card or tax file numbers, drivers licences, health information and contact details were lost or stolen in breaches that are occurring at a rate of at least two per day, Office of the Australian Information Commissioner figures show.

A staggering number of people — between one to 10 million — were exposed to serious harm in a single data breach in late 2018, while a whopping 64 per cent of the 262 data breaches in the December quarter were the result of hackers conducting “malicious or criminal attacks”.

Phishing, malware, ransomware and “brute-force” attacks were some of the key tactics hackers used, along with using compromised or stolen credentials, social engineering or impersonation.

Rogue employees or an “insider threat” were responsible in 12 per cent of criminal data breach cases.

The number of data breaches in 2018 was a massive seven times higher than in 2017, when only 114 breaches were reported, thanks to the government introducing mandatory reporting in February.

But experts are calling for the law to be reviewed now the extent of the problem has been revealed, including considering whether Australia should adopt fines for companies which allow a data breach to occur through carelessness.

Under the scheme, companies or government agencies face fines of up to $2.1 million if they do not report within 30 days when customers’ personal information is lost, stolen or accessed by an unauthorised third party.

Even then, companies are only required to report if the customer could be exposed to “serious harm” through the breach.

Shadow Attorney-General Mark Dreyfus stopped short of saying Labor would launch a review but told News Corp Australia the party would “scrutinise” the legislation if it won government to “ensure it is working as intended”.

Shadow Attorney-General Mark Dreyfus. Picture: Kym Smith

He said it was encouraging data breaches were being reported but added “the sheer volume is obviously concerning”.

Digital security expert Troy Hunt, founder of the globally-renowned website Have I Been Pwned?, said a full review was needed, particularly of the 30-day period companies have to report, the requirement that there must be a risk of serious harm, and that mandatory reporting is required only of companies with turnovers of more than $3 million annually.

Companies in the European Union have just 72 hours to report.

Mr Hunt also said fines should also be launched for companies which allowed breaches to occur through carelessness, like in the UK where authorities slapped telco TalkTalk with a £400,000 ($A728,000) fine after an investigation found hackers were able to access systems “with ease” and take advantage of “technical weaknesses”

“There needs to be some sort of disincentive for organisations to have these incidents,” Mr Hunt said.

“Without some sort of regulatory penalty, it’s hard to see where that is, other than their own fear of reputation damage.”

University of NSW cyber director Nigel Phair also called for a review to examine the current laws as well as the OAIC’s resources and capacity to investigate breaches.

“This should include trends with breach notification, what organisations are doing to fulfil the spirit of the legislation and is the reporting template sufficiently granular to enable accurate reporting,” he said.

“We also need more granular reporting from the OAIC regarding industry sectors where breaches occur, the number of investigations commenced and the outcomes, including any fines and/or enforceable undertakings.”

0:25

/

4:09

Loaded: 0%

Progress: 0%

Autoplay

• 
  Wentworth by-election: Will Kerryn Phelps beat Dave Sharma?

  1:00
• 
  Aussies to Turnbull: "Make this happen"

  1:42
• 
  R Kelly Australian tour sparks widespread backlash

  0:25
• 
  Liam Neeson forced to defend himself over 'racist' comments

  0:32
• 
  Leo Sayer reflects on success ahead of 'Just a boy at 70' tour

  3:40
• 
  Punxsatawney Phil predicts spring will come early for the US

  0:29
• 
  Kidz Bop Kids visit Australia for new album launch

  3:39
• 
  Duchess of Sussex becomes patron of London's National Theatre

  0:17
• 
  Australia's 'best homicide detective' to retell cases in 'The Good Cop'

  5:28
• 
  Black Panther wins big at 25th Screen Actors Guild Awards

  1:32
• 
  Australians celebrated in 2019 G'Day USA Gala

  1:36
• 
  Helen Reddy and Liam Hemsworth awarded at G’Day USA Gala

  1:39
• 
  Anna Wintour calls for Margaret Court Arena to be renamed

  1:36
• 
  Chinese model breaks silence about ‘racist’ Dolce & Gabbana ad

  1:30
• 
  Pope announces new prayer app

  0:27
• 
  Aquaman makes waves, cracking $1 billion at the box office

  2:59
• 
  Russian start-up wants to beam ads down from space

  1:58
• 
  Gillette faces backlash over #MeToo inspired advert

  1:49
• 
  Audiences left seeing double at 2019 Critics Choice Awards

  1:53
• 
  Movie production business could be forced to sell

  0:22

Australians' private data could be required to squash paedophiles, cyber crime: Dutton