Audit finds major vulnerabilities remain seven years after initial hack
The computer network used by federal politicians and thousands of parliamentary staff was left vulnerable to subsequent mass hacking attempts; Auditors have found major errors persist even seven years after the Houses of Parliament were targeted in a high-profile cyber attack.
A scathing report by Australia’s National Audit Office has found that the Department of Parliamentary Services, which manages the online network, failed to properly implement seven of the government’s eight key cybersecurity controls.
The findings raise fresh concerns about the resilience of one of the country’s most sensitive IT environments, at a time when intelligence agencies continue to warn that Australian government systems remain prime targets for foreign espionage and cyber attacks.
Auditors concluded that the department’s cybersecurity posture was only “partially effective” and found that it relied on incomplete workarounds and risk management measures that failed to adequately address known vulnerabilities.
The ANAO found weaknesses in critical security measures, including multi-factor authentication, software patching, administrative access controls, application security and backup arrangements.
The audit also found that the parliamentary network, used by around 5,000 people on around 11,000 devices, may not have been configured appropriately to manage the different security risks posed by MPs, senators, electoral offices and parliamentary departments.
In October last year, it was revealed that more than 100,000 sensitive parliamentary emails and documents were handed over to a private law firm despite internal warnings of an “extreme” cybersecurity risk. The firm, which was previously subject to a major Russian ransomware attack, was also granted broad administrative access to parliamentary systems during the investigation into allegations of misconduct by senior officials.
Last month, it was revealed that independent MP Zali Steggall’s WhatsApp account was hacked in March as part of a phishing scheme thought to have been orchestrated by the Russian government, which led to the messaging platform being blocked on parliamentary laptops.
The FBI issued a public warning in March about phishing campaigns targeting messaging apps from Russian intelligence-linked actors, while Dutch agencies warned of a global effort to compromise accounts on platforms such as Signal and WhatsApp; Hundreds of accounts in Germany were reported to have been compromised in April – including those of the speaker of the federal parliament and other senior figures.
In a significant warning, auditors said the department had previously acknowledged that the network “may no longer be fit for purpose” and lacked appropriate segmentation between users, increasing the potential consequences of a successful breach.
The watchdog found that key cyber policies were incomplete, risk registers were incomplete, critical IT assets were not fully documented and some systems were operating with expired security approvals.
More than half of the department’s cybersecurity staff had been in their positions for less than a year following a significant turnover, creating further challenges in managing cyber risks.
The report found that the department consistently acknowledged cyber risks beyond its tolerance levels and lacked a single authoritative record tracking vulnerabilities and remediation efforts.
The audit made two recommendations calling on the department to overhaul its cyber governance framework and implement a risk-based program to address known vulnerabilities and ensure compliance with federal cybersecurity requirements. DPS accepted the recommendations and said new funding in the 2026-27 budget would support a major cyber resilience improvement of the parliamentary network.
Opposition private minister James McGrath said the findings were worrying given parliamentary services were responsible for protecting sensitive information of parliamentarians, staff and parliamentary units.
“Australians should expect the institution at the heart of our democracy to be protected against increasingly sophisticated cyber threats from foreign state actors,” he said.
“Given the current threat landscape, it is clear that Labor needs to get much tougher when it comes to cybersecurity.”
Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up for our weekly Inside Politics newsletter.
