City of Newcastle has implemented more vigilant cyber security after a 2019 email cyber attack resulted in a debt of almost $250,000, according to council's CEO.
Council's email systems were hacked in August 2019 through a phishing email scam and debtors were issued with fake invoices. These were paid to a fraudulent account while council's actual tipping fee invoice was left outstanding.
The council recovered the payment of $233,365.18 through insurance in March 2021, while a legal cost of $16,315 was incurred in establishing liability for the financial loss.
The issue arose at council last Tuesday in a motion to write off the $249,680.18 debt as the insurance payment can't be applied directly to the sundry debt account, while the legal fees will be covered on council's balance sheet by its provision for doubtful debts.
Liberal councillor Callum Pull moved an additional point to the motion to ask for a workshop "discussing and outlining the processes and training that is in place to prevent another occurrence".
"It is in our interest to understand the steps that are being taken to mitigate and prevent something like this from happening again," he said.
The NSW Auditor General identified ongoing "high risk" cyber security and IT concerns at Newcastle council in 2019/20 findings published in a financial audit, including no cyber security awareness program.
Council's CEO Jeremy Bath said in the past two years, City of Newcastle had invested in the creation of a four person cyber security team, closed out 52 audit actions in regard to cyber security and designed and implemented a cyber security policy and framework.
The council receives about 12,000 phishing emails every month, Mr Bath said, and staff are also regularly put through mock phishing exercises.
"We are exceptionally vigilant today, in terms of the area of cyber security," he said.
"That doesn't put to bed the risk that we continue to be at because there is always the element of human competency and someone's ability to detect and identify that they what they have received is a phishing exercise."
Greens councillor John Mackenzie, who is on council's audit and risk committee, said an external audit between June and September 2020 resulted in 38 recommendations, 34 of which had been implemented.
"There's four remaining outstanding, and they are as far as I'm aware, fully on track," he said.
"I think it's critical to understand the extent that this issue has been taken seriously by this organisation for the past five years."
