Cyber Incident Victim: Australian Capital Territory Government

On or around May 24, 2023, the ACT Government began responding to a cybersecurity incident involving its information and communications technology systems. The incident was not initially discovered through internal monitoring but was instead identified in relation to a third-party vendor, Barracuda Networks. Barracuda had identified a vulnerability within its own Email Security Gateway product and subsequently issued a public vulnerability notification on that date, May 24. This public disclosure served as the catalyst for the ACT Government's investigation into its own systems. The Barracuda Email Security Gateway was an integral component supporting some of the ACT Government's ICT infrastructure, functioning as a critical email gateway system.

As part of its standard operating procedures and routine cyber security measures, the ACT Cyber Security Centre discovered this public notification released by Barracuda. Upon learning of the vulnerability, the ACT Cyber Security Centre immediately launched an investigation to determine if its government systems were affected. The investigation confirmed that the potential vulnerability identified by Barracuda was indeed present within the ACT Government's implementation of the Barracuda system. The presence of this vulnerability meant that the government's email infrastructure was potentially exposed to exploitation.

In immediate response to confirming the vulnerability's presence, the ACT Cyber Security Centre completed a full rebuild of the impacted Barracuda system. This action was taken to eliminate any ongoing vulnerability and to secure the system against potential further exploitation. The primary goal of this rebuild was to contain any immediate threat and to harden the system's defenses. Following this containment action, a more thorough investigation was initiated to understand the full scope and impact of the incident. This subsequent phase of the investigation confirmed that a security breach had, in fact, occurred through the exploited vulnerability.

The investigation into the breach is ongoing and a formal harms assessment is underway. The purpose of this assessment is to fully understand the impact specific to the ACT Government's systems and, more importantly, to determine the nature and sensitivity of the data that may have been accessed during the breach. The government has expressed confidence that the actions taken to date, specifically the rebuild of the impacted system, have successfully contained the breach. Officials have stated that there is no ongoing threat to the systems and that Canberrans can continue to use ACT Government online systems with confidence.

To manage the response and investigation, the ACT Cyber Security Centre formally stood up its Cyber Incident Management Team. This team is coordinating the ongoing efforts to investigate the breach and assess its impacts. Furthermore, the ACT Government is not working in isolation; it is collaborating with external partners on this incident. This includes working directly with Barracuda Networks, the vendor of the compromised system, and with the Australian Cyber Security Centre, the national authority on cybersecurity. This collaboration is focused on the forensic investigation and understanding the broader implications of the vulnerability exploited in the attack.

The ACT Government has committed to a policy of transparency regarding the incident, promising to provide weekly updates to the public on the matter. Information regarding the incident and these updates is being directed to the government's primary services website, accesscanberra.act.gov.au. While the specific details of the data accessed have not been publicly disclosed as the harms assessment is still in progress, the incident has been framed as a reminder to the community about the importance of personal cyber vigilance. The public has been advised to monitor their personal information online for any signs of suspicious activity and to utilize tools and advice available from official government sources.

The incident underscores the complex nature of modern cybersecurity, where a vulnerability in a widely used third-party product can directly impact government operations. The chain of events began with an external vendor's discovery and public notification of a critical flaw in its software. The ACT Government's detection was therefore reactive, based on this external disclosure, rather than through proactive internal detection of malicious activity. The response was characterized by a swift initial action to rebuild and secure the vulnerable system, followed by a more methodical process to determine the extent of the breach and its consequences. The engagement of specialized internal teams and national cybersecurity experts highlights the coordinated approach taken to address the situation. The full impact on data and systems remains under investigation, with the government prioritizing the assessment of potential harm to individuals whose information may have been compromised. The public assurance of no ongoing threat is based on the containment actions already executed, which involved the elimination of the specific vulnerability through the system rebuild. The continued operation of online government services is presented as being secure, with the incident response now focused on investigation and assessment rather than on immediate containment.