The Australian Capital Territory government is one of the victims of a vulnerability found in Barracuda’s email security gateway (ESG) system. In a press conference on 8 June, ACT government chief digital officer Bettina Konti said there is a likelihood that some personal information is involved. However, a harms assessment needs to be completed before the likelihood is confirmed.
Barracuda had first identified the CVE-2023-2838 vulnerability on 19 May issuing a patch worldwide on 20 May, followed by a second patch on 21 May. Then, on 30 May, the vendor revealed the earliest identified evidence of exploitation took place in October 2022.
Two days before the ACT government had revealed the security breach, Barracuda posted a warning that impacted appliances must be replaced immediately. The vulnerability existed in a module which initially screens the attachments of incoming emails.
ACT government response to security breach
Once the territory government detected the vulnerability, the ACT Cyber Security Centre immediately completed a rebuild of the Barracuda system to eliminate any ongoing vulnerability, the ACT government said in a statement.
“The investigation has now identified that a breach has occurred and a harms assessment is underway to fully understand the impact specific to our systems, and importantly to the data that may have been accessed,” the territory government said.
The government added is confident that actions taken to date have contained the breach and that there is no ongoing threat, and instructed citizens can continue to use ACT Government online systems with confidence.
The ACT government is working with the Australian Cyber Security Centre and Barracuda Networks on the ongoing investigation.
Weekly updates are expected to be shared in a page dedicated to the incident.