news The Australian Bureau of Statistics has poured cold water on a series of articles by the Financial Review newspaper last week which claimed a series of “cyber-attacks” had successfully targeted the government agency, with the ABS stating that its systems had never been breached.
The newspaper published a series of articles last week on the issue. The prime article, entitled ‘Cyber attacks hit Australian Bureau of Statistics’, relied on a series of documents released by the agency under Freedom of Information laws (PDF). “The breaches reveal a concerted attempt at breaking into key data repositories including Ausstats, the database that holds all sensitive economic information, including data on inflation, unemployment and gross domestic product,” the article by columnist Christopher Joye stated.
Joye wrote in a separate article: “What is not known, and will likely never be known, is whether any confidential information has been accessed.” The ABC followed up on the article in its own coverage.
However, the ABS issued a statement today stating that contrary to the AFR’s implication, “there have been no successful attempts to gain access to market sensitive or other confidential data held by the Australian Bureau of Statistics”. “The “AUSSTATS” database referred to in your article is a source of publicly available statistics,” the agency added. “It does not hold any confidential data.”
”The so-called “successful” attacks referred to in the article relate to external users attempting to connect to publically available ABS services. The incidents were detected by the ABS due to the large number and random nature of the connection attempts. The attempts logged as successful related to valid connections. Attempted connections to the ABS homepage during this incident were reported as being successful by the ABS Security monitoring tool. These attempts posed no threat to the security of ABS data.”
The AFR also noted that there was a possibility that ABS user accounts had been compromised and used to attack ABS systems. “The incident referred to in the AFR report relates to authorised users of ABS provided external services incorrectly entering their password when trying to access the system,” the agency wrote. ”
As noted by the AFR the ABS was expansive in the information it provided as part of the FOI request. The information redacted in the reports related to detailed technical information that provides intelligence on the structure of the ABS network and personal data such as email address and phone numbers of ABS staff involved in the security response.” ”Given the growing sophistication of cyber criminals the ABS cannot take our security systems for granted. We are vigilant in monitoring intrusions into our IT systems, and seek through collaboration with government security agencies to maintain best practice in preventing unauthorised access to confidential data.”
It’s not the first time over the past several months that a government agency has rejected claims put by the AFR, and Joye personally, that its systems and data were at risk. Joye does not appear to personally have a technical background; instead, the commentator has a background in finance and economics.
In mid-March, for example, the AFR published an article by Joye claiming that the Reserve Bank of Australia’s computer networks had been “repeatedly and successfully” hacked, including by “Chinese-developed malicious software”. However, at the time, like the ABS, the bank denied any data had been stolen.
It wrote: “As reported in today’s media, the Bank has on occasion been the target of cyber attacks. The Bank has comprehensive security arrangements in place which have isolated these attacks and ensured that viruses have not been spread across the Bank’s network or systems. At no point have these attacks caused the Bank’s data or information to be lost or its systems to be corrupted. The Bank’s IT systems operate safely, securely and with a high degree of resilience.”
The news comes as fears about so-called ‘cyber-security’ incidents continue to grow in the Australian community, including in industry and government circles. However, concrete evidence of actual data having been stolen or systems seriously compromised is thin on the ground.
A major new study of the IT security habits and experiences of Australian organisations conducted by government group CERT Australia and published in February, for instance, found the majority did not suffer an IT security incident over the past 12 months, and those that did mainly suffered minor breaches such as the theft of a laptop of smartphone.