Cyber Incident Victim: Superannuation of South Australia

The Super SA cyber incident, which came to light publicly in October 2023, had its origins in a previous security breach from November 2019. That initial event involved the government superannuation provider Super SA, a dedicated fund for South Australian state government employees. Information pertaining to 14,011 Super SA members was accessed by hackers during the 2019 attack. In response to that breach, Super SA engaged the services of a third-party call centre, the Adelaide-based company Contact 121, in 2020. This contractor was hired specifically to help field phone calls and manage communications with the members who had been impacted by the original 2019 incident.

After the contractual relationship between Super SA and Contact 121 concluded, the call centre company retained data belonging to the Super SA members on its information and communication technology systems. This retained data was then accessed by hackers in a subsequent cyber security breach that occurred approximately two months prior to mid-October 2023, placing the incident around early August 2023. The government stated that the breach did not appear to involve any data more recent than 2020. All members who had been implicated in the original 2019 cyber breach were also impacted by this latest attack on the third-party provider, affecting the same cohort of 14,011 individuals.

Super SA became aware of this new security incident on September 1, 2023. The agency, however, did not receive confirmation that an actual breach of the data had occurred until October 4, 2023. The internal government notification process saw the Department of the Premier and Cabinet informed of the cyber breach on August 18, 2023. South Australian Treasurer Stephen Mullighan stated he was only personally told about the incident on Thursday, October 12, 2023, nearly two months after the hack itself took place and significantly after other parts of the government apparatus had been notified.

The specific data accessed in the breach was information that Contact 121 had retained from its previous work for Super SA. A government spokesperson indicated that for the majority of impacted members, the potentially accessible information may contain basic personally identifiable information such as a name, address, and date of birth. For some members, however, there may have been other types of information accessible, though the precise nature of this additional data was not publicly specified. In a statement to its members, Super SA noted that it was taking "an abundance of caution to secure member accounts in the acknowledgement that the data has been breached," but also clarified that "at this stage it is still unknown if any of the Super SA data has been accessed."

The response from the South Australian government involved an immediate investigation into the circumstances surrounding the breach. A primary focus of this investigation was to determine why Contact 121 had retained Super SA members' data on its systems after its contract with the government agency had ended. Treasurer Mullighan raised a series of questions in parliament regarding the requirements for third-party providers to delete government data from their ICT systems after completing their work. The government confirmed it no longer used Contact 121's services and stated it was unaware of any other government agencies continuing to use the company post-2020. The government's cyber security section also began working with other agencies that had previously used the same third-party provider to investigate if any other personal data had been breached, though at the time of reporting, there was no advice that any other data had been accessed.

Treasurer Mullighan publicly expressed significant dissatisfaction with the handling of the incident, stating the government's response was "simply not good enough." He called for government agencies to greatly improve their cyber security practices, both in insulating themselves against attacks in the first place and in responding to them in a timely, thorough, and appropriate manner. He emphasized that the management of these incidents was causing the exposure of sensitive South Australians' data to illegal access and was letting down thousands of people. He committed to reporting back to parliament on the full number of members impacted.

The incident drew criticism from the opposition and concern from public sector unions. Opposition spokesperson Heidi Girolamo stated the breach highlighted gaps that needed to be addressed and emphasized the need for constant review and improvement of policies, as well as investment in data protection. Natasha Brown, general secretary of the Public Service Association, expressed being "extremely concerned" about the breach and stated that public sector workers should be able to expect their privacy and personal and financial data to be protected when entrusted to government agencies. The union expected the government to thoroughly investigate how the breach occurred, minimize the impact on members, and take action to prevent a recurrence.

This event marked the second time in less than two years that private data from a South Australian state government agency, held by a third-party firm, had been illegally accessed. The previous incident occurred in November 2021 when hackers targeted payroll provider Frontier Software, impacting more than 90,000 public servants. Experts commenting on the Super SA breach noted that companies in Australia are not legally required to delete client data once they no longer have a practical use for it, though they have a duty of care to hold information securely. The South Australian government had published a discretionary set of guidelines for data management by government agencies, but these were authored in 2018 and described by an expert as potentially "out of date." The full extent of what information was specifically accessed or exfiltrated from Contact 121's systems remained unknown at the time of reporting, with experts noting that it can take quite a while for companies to determine exactly what was stolen in a breach.