Services Australia said it has “actioned” several security-related vulnerabilities found in an identity exchange it operates for the government’s digital identity system, including one rated ‘high risk’.
The vulnerabilities were uncovered in periodic security assessments commissioned by the agency, but only disclosed by the Office of the Australian Information Commissioner (OAIC) last week.
The exact nature of the vulnerabilities isn’t discussed, but they are broadly described as “ICT security-related” and relate to how the identity exchange handles personal information.
There also isn’t an exact number of vulnerabilities published, although one was considered to present a “high risk” to privacy – demanding “immediate” attention, based on OAIC definitions – while “several” were considered to pose a medium risk.
Because the OAIC report is based on field activity from this time last year, the remediation status of the vulnerabilities wasn’t immediately clear.
It’s possible there was a year-long gap between the OAIC learning of the vulnerabilities and publishing a report, to follow responsible disclosure principles.
Asked by iTnews whether the vulnerabilities had been remediated or mitigated, a Services Australia spokesperson said they had been “actioned” and that the exchange is safe to use.
“All the medium to high risks from the security assessments referred to in the report have been actioned since the OAIC began its review 12 months ago,” the spokesperson told iTnews.
“Maintaining the security of all our systems, including the ID exchange, and the protection of people’s personal information remains a top priority and we have contemporary protections and processes in place.
“The ID exchange remains secure and people can continue to use their Digital ID to securely sign in to government online services.”
“Not fully implemented”
When the OAIC went looking in February 2022, it found recommendations from penetration tests and annual Infosec Registered Assessors Program (IRAP) assessments that had not been “fully implemented” by the agency.
An IRAP assessment, in particular, “recommended that Services Australia develop a detailed implementation plan and schedule for all critical and high-risk vulnerabilities that have been identified,” the OAIC noted.
The watchdog recommended Services Australia “take steps to appropriately manage the medium and high risks identified in its regular information security assessments.”
Services Australia accepted the recommendation and said in the report that it is “taking a coordinated approach, involving experts across various ICT and cyber security teams, to continue to appropriately implement the recommendations from previous ICT assessments.”
The agency added its central cyber security division is working to improve the way it monitors and manages vulnerability remediation by the internal ‘owners’ of key business systems.
Services Australia’s spokesperson did not address a question from iTnews about the apparent gaps in vulnerability tracking and remediation identified by the OAIC, and the status of addressing them.
The spokesperson said that “regular security assessments are part of a suite of protections and an essential part of keeping our systems secure – this is an ongoing process.”
“Any emerging risks from subsequent assessments are being prioritised and actioned accordingly,” the spokesperson said.
Data breach response plan untested
The OAIC also found the data breach response plan for the identity exchange had never been tested, and did not contain specifics on who to contact for incident response.
“Failing to test its data breach response plan in relation to the identity exchange creates a medium privacy risk as it may reduce Services Australia’s ability to identify risks and gaps in the plan and respond quickly to a data breach,” the privacy watchdog found.
“This may include the risk that the failure to clearly indicate the response team and their responsibilities may mean that staff may not know of, or follow, Services Australia’s data breach response plan.”
In response, Services Australia committed to run a test of the response plan in the first quarter of 2023.
Other key findings
The privacy assessment identified some other “medium” risks, including an un-updated privacy policy – since corrected; a lack of measurable goals and targets for privacy-related improvements, and lack of documentation detailing the separation of Services Australia and digital identity system (DIS) functions.
“There is a medium risk that the separation of Services Australia’s DIS functions will not be properly enforced and any privacy issues regarding the identity exchange will not be managed appropriately and consistently,” the privacy watchdog said.
“For example, it may increase the risk of personal information collected for the identity exchange being used or disclosed for a secondary purpose.”
The agency said it would address the latter two issues by the end of next month.
Switchboard
The digital identity exchange is one component of the broader digital identity system (DIS) run by the government.
The exchange “acts like a switchboard, transferring information, with [user] consent, between relying parties, identity providers and attribute service providers, in a way which is secure and respects [user] privacy”, documentation for the DIS states.
The DIS is intended to act as a way to authenticate to government services, initially both federal and state or territory.
So far, users can only create a digital identity to access government services using the government’s own myGovID, but it is envisioned that other identity providers will also be added in the future.