House of Assembly Fifty-Fifth Parliament, First Session (55-1) 55 1 Parliament of South Australia House of Assembly published Question Time Super SA Cybersecurity Incident Super SA Cybersecurity Incident Mr COWDREY House of Assembly Colton Super SA Cybersecurity Incident Mr COWDREY (Colton) (14:27): My question is again to the Treasurer. Has the government conducted contract management activity or risk assessments of third-party providers in compliance with the South Australian government's data security and storage requirements? With your leave, sir, and that of the house, I will explain. Leave granted. Mr COWDREY House of Assembly Colton Mr COWDREY: The Auditor-General, in his 2022 annual controls opinion report, stated that insufficient checks of the organisation's data security and systems were being undertaken by the South Australian government. The Hon. S.C. MULLIGHAN House of Assembly Lee Treasurer Minister for Defence and Space Industries The Hon. S.C. MULLIGHAN (Lee—Treasurer) (14:27): In short, yes, across government there is a significant amount of effort on making sure that agencies are putting a much stronger focus on contract management. For example, if you have a look at the Auditor-General's Report, he raises significant concerns about the contract that was entered into, I think in November 2021, with Ventia, a significant facilities management company appointed by the previous government to undertake facilities management across a range of agencies. Certainly, the experience to date from the client agencies, let alone the people that those agencies are meant to be providing services to, is that that contract has been very difficult. Specifically, in relation to the member for Colton's broader line of questioning which is about the cybersecurity breach, I am advised that it occurred—again, as I said before—in a third-party provider for services to governments agencies. It was a call centre, and the call centre was contracted, as I am advised, by Super SA to assist Super SA field phone calls from Super SA members who were impacted by the 2019 cybersecurity breach. It is still being investigated why that call centre provider had retained data on its systems relating to managing that particular agency's client relations task in relation to the 2019 much broader Frontier cybersecurity breach. As far as I am aware, the contract that engaged that call centre, which has been the subject of this specific cybersecurity breach the member for Colton's questioning relates to, was engaged to deal with those inquiries back from the 2019 cybersecurity breach. That raises, we could all understand, a series of further questions: what requirements are there for these agencies to not continue holding government data on their ICT systems after they complete doing work for government? The member for Colton might recall that this was the source of the Frontier cybersecurity breach in 2019 that caused the data of tens of thousands of public sector workers and former public sector workers to be breached. That payroll data had been kept on Frontier's networks for a period of time longer than it should have been, and it seems this same issue has arisen again in the same context of dealing with the customer inquiries from that same cybersecurity breach. It is absolutely clear that the way in which these incidents have been managed is not good enough because it is causing the exposure of South Australians' sensitive data to be exposed to illegal access. The point that sits behind the member for Colton's question—what activity is now ongoing across the public sector to review the requirements of these contracts—is a good question because government agencies are having to review the stipulations they have in these agreements with third-party providers to make sure this sort of thing doesn't happen.