Audit slams council IT security

FREMANTLE council’s online security is so lax that parts of a state audit have been kept secret over fears it could be an Eldorado for hackers.

A damning report by the WA auditor general’s department labelled the council’s IT security and risk management “ad hoc” and “disorganised”.

In one instance, an administrator’s account linked to users with privileged access to sensitive parts of the network had the same password for 21 years.

And on more than a dozen occasions during the 12-month period audited, staff changed details about suppliers on the council’s master files without any evidence of oversight. That meant they could have been changing bank details to suit themselves, raising the risk of “funds being inappropriately transferred”. The report does not suggest there has been any fraud.

The council’s payroll database was found to be vulnerable, as sensitive information hadn’t been encrypted and the server hadn’t been isolated to prevent direct access.

“Without appropriate database controls and security in place, there is an increased risk that the confidentiality, integrity and availability of sensitive information may be compromised,” the auditor’s report found.

A list of 26 areas of concern for the auditor found “management of technical vulnerabilities” a significant risk, while another 21 areas were moderate risk and five were minor.

“Based on the audit team’s assessment of risk, some specific details of findings have been removed and provided in a separate confidential letter to assist the City of Fremantle in addressing the issues. These additional details, if made public, could increase the risk of cyber-attacks,” the report found.

South Ward councillor Marija Vujcic told the Herald she was shocked by the audit’s findings and ratepayers would be furious to hear their personal information wasn’t secure.

“We are not talking about an opportunity for continuous improvement here,” Cr Vujcic said.

“We are talking about systematic and procedural deficiencies that opens the city to serious risks of cyber-attacks and fraudulent behaviour.

“The response from the city to the audit is far from satisfactory.”

In some instances the auditors agreed: “It is unclear how management will address the finding,” they wrote in response to a comment about a glitch in software management that meant council could be paying for software it no longer used.

Leave a Reply