Noosa Council was the victim last December of a “well-organised cyber fraud” that used “sophisticated social engineering AI techniques” to extract a financial amount of $1.9 million, CEO Larry Sengstock and Mayor Frank Wilkie announced at a press conference Tuesday morning.
“We haven’t been able to divulge this information until now because it’s been subject to an international and national investigation and we were obliged to stay quiet on this,” Mr Sengstock said.
The Australian Federal Police Joint Policing Cybercrime Centre advised council this was a highly sophisticated, strategic fraudulent incident.
Mr Sengstock said the attack was made by an international group with an initial amount of $2.3 million removed and the money quickly taken overseas but $400,000 had been recovered. He said police were aware of the group and had contacted council about the cyber attack but council had been unable to make any public comment on the matter during the initial investigation by AFP, Queensland Police and Interpol.
Once notified in December, council established its incident crisis response team and engaged external independent ICT experts to conduct a forensic investigation and confirm there was no breach of Council’s system, no personal data was taken, and no council service was impacted.
“That allowed us to follow the path of investigation. It became a monetary exercise.”
Mr Sengstock said they were still negotiating with insurance companies on what they could recover.
He said the loss would be covered from reserves set aside for emergent issues.
“This is something that we wouldn’t happily provide the funding for, it’s more for emerging things that happen across the shire but we do have the ability to cater for this it hasn’t affected our operations, hasn’t affected our work in terms of the delivery of services,” he said.
“And I can be absolutely sure it hasn’t affected our judgement and our decision making in terms of our rates and other decisions we’re taking.”
Cr Wilkie said the attack had left him feeling personally “stung” but “very determined and focused on ensuring that we minimise the likelihood that this ever happens again”.
“That’s been the focus ever since it happened, ensuring the CEO and executive team have the resources to do whatever is necessary to put in place all those measures to ensure that operational vulnerability is never exploited again,” he said.
Mr Sengstock said no staff member was blamed for this.
“Everybody has their processes in place, securing our systems and our procedures,” he said. “You don’t know until some sophisticated group came along like they did, found our vulnerabilities and attacked us. Soon as we knew that we set up our taskforce, our group to make sure we put in much tighter processes. We’re also engaging a third party software provider that will give us even more assurance.”
“We acknowledge that vulnerabilities with our processes contributed to the incident which were exploited by these criminals,
“We have proactively implemented a raft of measures to improve processes, which have been recommended by the Queensland Audit Office,” he said.
This includes investing in new software, tightening procedural controls, training and recruiting additional staff.
Cr Wilkie said they had full confidence in the CEO and executive team that they’ve taken the necessary steps to implement the changes to address these operational vulnerabilities, that includes third party software, additional staff training, additional staff and more rigorous internal procedures and checks and balances.
“It wasn’t a cyber attack. Our council and other councils are under relentless cyber attack on a daily basis,” he said. “I’ve been advised by our IT team that NC systems intercept between 500 and 1500 attempts every day and that fake emails sent on imitating myself or the CEO are issued by third party agents or scammers every other day.
“Our systems are holding up in that regard. This was an unprecedented, highly sophisticated AI social engineering scam that we’d never encountered before but the CEO and executive team have taken every step to minimise the chances of it ever happening again and that’s all we can do at this point.”
Mr Sengstock said Council notified the Queensland Audit Office (IOA) and the relevant state ministers of the reportable loss within the legislative timeframe as required under the Local Government Act 2012.
“This unfortunate incident and the increasing prevalence of artificial intelligence serves as a timely warning that all councils and businesses must be responsive to an ever-changing cyber threat landscape.
“Police tell us to ensure you are continually reviewing processes and verify the legitimacy of any contact before making any sensitive changes,” he said.
The incident is still being investigated by the AFP Joint Policing Cybercrime Coordination Centre.
