Hackers exploited an unknown vulnerability to access a NSW Department of Education system last year and stole the names and email addresses of an undisclosed number of people.
The NSW Department of Education took nearly seven months to complete an "an extremely complex and time-consuming" forensic examination of its systems and of the attack, which took place in early July 2021.
It's not clear which specific Education system was initially compromised to grant the attackers access.
However, the department has now revealed that the system contained "a vulnerability which [it] did not know about."
Its security team also observed the attack in progress and moved to shut down the exfiltration of data.
"The department’s IT and security teams detected the attack while it was in progress and ceased the transfer of data," it said in newly-released FAQs.
However, attackers were still able to make off with names and addresses of an unknown number of people, which Education said it has now started notifying.
Preliminary investigations in the weeks after the attack indicated that “some information, including contact information, may have been compromised”.
Education secretary Georgina Harrisson said no passwords, banking records, credit or debit card numbers, financial records, government identifiers or health records had been accessed.
“Based on this investigation, the data taken in the attack was limited to personal information such as names and email addresses,” Harrisson said.
“Thanks to the robust cyber measures requires of all NSW government department, [Education] was able to spot the attack unfolding and take immediate steps to block it.”
The department declined to reveal how many people were caught up in the incident.
The attack forced Education to deactivate several IT systems for days to protect other student and staff data.
Online portals used by both staff and students, staff email and the staff intranet were all impacted, though were back up and running for the beginning of the school term.
The department is continuing to work with the Australian Cyber Security Centre, the NSW Information and Privacy Commissioner and NSW Police to investigate the attack.
Individuals affected by the incident are able to access support through a dedicated call centre, which has been established by the department to provide support.
More than 94,000 teachers and other staff are employed by the department, according to a 2021 snapshot.
In comparison with attacks against other NSW government entities, Service NSW took five months to begin notifying customers impacted by a phishing attack against staff members.
That attack exposed the personal information of 103,000 people, down from initial estimates of 186,000.
