Queensland's largest regional water supplier, Sunwater, says it was targeted by hackers in a cyber security breach that went undetected for nine months.
It has been revealed that hackers left suspicious files on a webserver to redirect visitor traffic to an online video platform last year.
Sunwater admitted the cyber breach after the tabling of a Queensland's Audit Office report into the state's water authorities, which mentioned the incident but did not say which authority was targeted.
Following questions from the ABC, Sunwater confirmed it was the authority affected by the breach revealed in the Audit Office's report.
A Sunwater spokesperson said no financial or customer data had been compromised and immediate steps had been taken to improve security once the unauthorised access to an online content management system was detected.
"Sunwater takes cyber security very seriously and acknowledges the findings in the Queensland Audit Office report,'' it said.
The Water 2021 report stated the cyber breach had occurred between August 2020 and May 2021 and involved unauthorised access to the entity's web server that stored customer information.
The report found "threat actors" had targeted an older, more vulnerable version of the system.
The webserver contained suspicious files that increased visitor traffic to an online video platform, the report said.
It noted weaknesses in the system had allowed the cyber breach to remain undetected for nine months.
Six water authorities including Seqwater, Sunwater, Urban utilities, Unitywater, Gladstone Area Water Board and the Mount Isa Water board were examined in the report, which warned of vulnerability in information systems.
Deficiencies in internal controls including relating to funds transfer payment information, were also highlighted.
The 36-page report called for immediate action to fix "ongoing security weaknesses in information systems".
It noted in the case of the cyber breach, measures had been taken to fix the issue including updating software, using stronger passwords, and monitoring incoming and outgoing network traffic.
The report said despite the audit office last year recommending that entities strengthen the security of their information systems, not all had acted to address the issue.
It said three of the six entities still had "control weaknesses" on June 30.
Multiple issues found in internal controls
The report also highlighted problems with some internal controls, finding 24 deficiencies in the sector.
These related to the access of electronic funds transfer payment information, security of supplier and employee information, and in one case, deficiencies in a review of the effectiveness of property, plant and equipment.
One authority was found to have three deficiencies in relation to management of user access across financial, invoicing and payroll systems, the report noted.
It said entities should only assign employees the minimum access to perform their jobs.
Under the heading "Further Action Needs To Be Taken", the report said cyber attacks were a risk with ongoing changes in entities' working environments due to COVID-19.
Responses to the issues had been received from the entities involved to correct the issues raised, the report stated.
Flood damages
The report also noted the liabilities from the 2011 south-east Queensland floods class action when flood victims sued the state government, Sunwater and Seqwater.
Seqwater was no longer liable for damages from the class action after successfully appealing the court judgement, the report said.
However, Sunwater's settlement was $80 million lower than estimates in its 2019-20 report, the auditor found.
That financial year, Sunwater estimated its liability from the floods would be $330 million.
The report stated the water sector's profits had increased by $234.7 million for the 2020 to 2021 financial year.
The sector's total shareholder returns were $497.2 million, which was made up of dividends paid to Queensland government shareholders, a portion of the water distributor-retailers' profits paid to local governments, and income tax equivalents paid by commercial operations in government instead of tax.
Another issue flagged by the report was Queensland being affected by extreme weather conditions with 34 councils fully drought declared.
It also noted the state's water recycling system that treated wastewater effluent from Brisbane and Ipswich at three water treatment plants remained in "care and maintenance" mode, meaning it was not used at full capacity during the last financial year.
However, purified recycled water from the scheme was used in power stations in place of water from dams.