“HIGH risk” flaws in Vincent council’s computer systems leave it wide open to internal malfeasance and external attacks.
A report by the WA auditor general has found the council’s security gaps have left its confidential and sensitive information vulnerable to unauthorised users.
The external audit found there’s no restriction on which staff can access or change data, and no log of changes is kept.
A Victorian government report just released on the issue found lax controls like Vincent’s heightened the risk of council staff being bribed for official information, leaking data to associates, or using insider information for financial benefit on land and planning matters.
The audit also found six council computer accounts belonging to terminated employees were still active, “and two have accessed the system after their termination date”.
The council’s database also hasn’t had software updates since 2012 (older software is more vulnerable to hacks, as updates close backdoors to hackers) and information isn’t encrypted but stored in “plaintext”.
That means hackers would have easy access to sensitive information, such as the 2011 Sony hack when it was revealed a million passwords were stored as plaintext instead of being encrypted.
It’s a timely audit as petitioners against the council’s new electronic parking permit system recently raised concerns over privacy breaches. The new system means visitors to properties would have their car rego details logged in a council database (“E-Permits locked in,” Voice, October 31).
Petitioner Fiona Keating told us last month: “I am not convinced that council administration has fully considered the potential breach or mis-use of personal data. It is not just my privacy that I need to consider, but more importantly that of my visitors.”
Another “high risk” problem related to external hacks: “The audit identified 56 critical and 47 high vulnerabilities” in the council’s outdated software.
“These vulnerabilities could be exploited and may result in unauthorised access to sensitive data or the loss of system operation.”
The council’s wifi is also not very secure and a smart-enough hacker sniffing around nearby could intercept staff login details.
The council’s computers also don’t recognise “segregation of duties,” intended so one person can’t perform conflicting roles and which can “possibly lead to fraud,” the audit says.
A lack of “segregation of duties” was identified as a major failing at the Department of Housing that allowed Paul Whyte to authorise $25 million in illicit payments without anyone else having oversight.
All up the auditor general’s review saw 24 to-do items added to Vincent’s audit log, with some fixes to start in December. Some of the database problems will take until March 2022 to fix.
Previously councils were able to self-audit these areas, but as of this year the state government empowered the auditor general’s office to carry them out.
When the new audit laws were rolled out local government minister David Templeman said “this provides more independent oversight than has previously been the case and increases transparency and accountability”.