Cyber Incident Victim: Education Tas Gov

On or around March 31, 2023, the Tasmanian government confirmed that its data had been accessed in a cyber attack. The incident involved a third-party file transfer service known as GoAnywhere MFT, which was used by the Department for Education, Children and Young People. The breach was part of a larger global attack targeting this specific software. The ransomware group Cl0p was identified as the actor responsible for accessing and subsequently releasing the stolen data online. The Tasmanian government stated that the specific incident occurred over a four-day window during which the software's vulnerability was exploited before a patch could be applied to remedy the problem.

The compromised data consisted of a significant number of documents. Science and Technology Minister Madeleine Ogilvie confirmed that at least 16,000 documents had been released online by the hackers. She also conceded that as investigations continued, this number was likely to increase. The content of these documents was highly sensitive, containing the names and addresses of parents and students connected to the department. Furthermore, the breach included financial documents such as invoices and bank statements. This exposure of personal and financial information placed a large number of individuals at risk for potential identity theft and financial fraud.

In response to the incident, the Tasmanian government initiated several actions aimed at managing the crisis and supporting those affected. A dedicated helpline was established for individuals to contact if they were concerned their data had been accessed; the number provided was 1800 567 567. Minister Ogilvie urged anyone who noticed unusual activity, particularly on their bank statements, to come forward and report it to the authorities or contact the Australian Cyber Security Centre. The government also directly contacted Tasmanian schools to inform them of the data breach. The investigation into the breach was formally handed over to the Australian Cyber Security Centre.

The government made a decision to continue using the GoAnywhere MFT software after the incident. Minister Ogilvie defended this decision as part of "best practice" following the application of a patch that fixed the known vulnerabilities. She stated that the problem with the software itself had been remedied and that the ongoing issue was related to the information that had been transferred during the initial vulnerable period. The minister also confirmed that no ransom demand had been made by the attackers and stated unequivocally that none would be paid should a demand be received in the future.

The political response included criticism from the opposition Labor party. Labor's Jen Butler called for the Premier to step in and manage the crisis, expressing concern that every primary school in Tasmania and every entity or individual connected to the education department could be compromised, potentially putting some people in a very dangerous situation. It was noted that other major organizations, including Crown Resorts and Rio Tinto, were also victims of the same attack by the Russian hackers. Labor leader Rebecca White requested a briefing from the government, characterizing the situation as serious and noting that parents were rightly concerned about the security of their personal information.

Cybersecurity experts provided analysis on the broader implications of such a data breach. They emphasized that the primary motivation for these attacks is typically financial, whether through direct ransom demands made to the compromised organization or through the subsequent use of stolen personal data for identity theft and scams. The data exposed, including names, addresses, and bank details, is highly valuable to attackers as it forms the core information used to verify an individual's identity. Once this information is publicly released, it cannot be retracted, creating a permanent risk for the affected individuals.

The experts further explained that the risk is compounded over time because data from multiple breaches can be combined to build more comprehensive profiles of individuals, making social engineering attacks more plausible and effective. They noted that the impacts of a breach are often not immediate and can manifest much later if the data is sold or passed on to other criminal groups. Vigilance was repeatedly cited as the most critical defense for individuals, given that the data is already in the wild. Recommendations for affected individuals included monitoring financial statements closely for any unusual activity, changing passwords for email and other important accounts, and ensuring passwords are not reused across different services.

The incident highlighted the challenges organizations and individuals face from sophisticated cyber criminal groups that operate on a global scale. The attack was not a targeted intrusion against the Tasmanian government specifically but rather an exploitation of a vulnerability in a widely used commercial software product. This meant that the consequences were felt by a diverse range of entities, from government departments to large corporations. The Tasmanian government's public communications focused on providing guidance and support to those whose data was exposed while the investigation by national cybersecurity authorities continued to assess the full scope and impact of the breach.