Cyber Incident Victim: Internal Revenue Commission
Date:
Jan 2025
Location:
Papua New Guinea
Summary
Papua New Guinea's Internal Revenue Commission suffered a major cyber attack causing prolonged system outages, initially disclosed only as a network disruption. The incident compromised core tax infrastructure, including the SIGTAS platform and communication systems, potentially exposing sensitive citizen and business data—including Australian entities. Despite Australia offering regional cybersecurity assistance, the tax office declined support and engaged a private firm for recovery, with experts warning restoration could take months. The attack disrupted critical services like tax approvals, hindering business operations, while concerns persist about data leakage and eroded investor confidence amid the Pacific's escalating digital threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 5 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Papua New Guinea Internal Revenue Commission (IRC) experienced a major cyber attack around late January 2025, which disrupted critical tax systems and compromised sensitive citizen and business data. On January 29, the IRC publicly acknowledged only a "system outage" affecting its network, withholding confirmation of the cyber intrusion despite internal awareness of the incident. The attack disabled core operational infrastructure, including the SIGTAS tax management platform, email services, and phone communications, paralyzing routine tax processing functions. By mid-February, two weeks after the initial disruption, most IRC systems remained offline, preventing tax agents and businesses from obtaining approvals or clearances required for commercial activities. A local tax agent reported widespread operational delays affecting clients, with no timeline provided for restoration. Sources in Papua New Guinea and Australia independently verified the outage resulted from a cyber attack, though the IRC leadership, including Commissioner General Sam Koim, did not respond to inquiries about the breach's scope or origins. The incident marked the second major cyber attack on a Papua New Guinean government agency since a 2021 ransomware strike against the Department of Finance.
The IRC engaged a private cybersecurity firm for recovery efforts, declining immediate assistance from Australia's dedicated Pacific cyber response team despite the latter's formal offer of support. Cyber experts projected recovery could require weeks or months due to limited IT resources and budgetary constraints characteristic of developing economies. Robert Potter, a cybersecurity specialist involved in establishing Papua New Guinea's National Cyber Security Centre, noted the logistical and reputational challenges of external intervention during forensic investigations. Mihai Sora of the Lowy Institute highlighted concerns that the attack could undermine foreign investor confidence in Papua New Guinea's digital infrastructure, exacerbating existing hesitations about operational risks in the region. The breach occurred amid accelerating digital transformation across Pacific Island nations, where cybersecurity capabilities have not matched the pace of technological adoption. Authorities had not disclosed the attacker's identity, the extent of data exfiltration, or the likelihood of data recovery as of mid-February 2025. Operational impacts persisted with no public remediation plan released by the IRC.