Australia Post will undertake an urgent review of its critical assets, after an audit found its ability to withstand cyber attacks was at risk.
Subscribe now for unlimited access.
$0/
(min cost $0)
or signup to continue reading
A new report by the Australian National Audit Office found the government-owned corporation had not met its own benchmarks for cyber security, and was not "cyber resilient".
Australia Post was one of three government bodies chosen for the audit, as the nationally significant databases they managed could be a target for cyber-criminals.
While the company is best known for its mail and parcel delivery services, it also manages financial transactions and payment services domestically and internationally.
It also provides identity verification services, including for passports, licence renewals and proof of age cards, and data management and logistics services, for private business and governments.
Organisations deemed "cyber resilient" are those that are able to fend off cyber intrusions while still delivering core services.
The audit found while Australia Post had effective ICT general controls in place for managing logical access and change processes, it had not systematically managed cyber risks.
Two of its critical systems - the Corporate Data Warehouse and eParcel applications - had not had security risk assessments performed in the past two years.
Australia Post did not perform regular assessments of passwords being used across its network, and while its servers were able to log security information, logging had not been configured for Australia Post's desktops.
In a statement, Australia Post said it was committed to ensuring the security and integrity of its systems, and to deterring and responding to cyber intrusions.
"Our continued vigilant focus on the further implementation of our cyber security risk management framework, and on protecting the integrity and security of our systems, will assist in the preservation of a strong framework of cyber resilience for the benefit of our employees, customers and the Australian community," it said.
Australia Post was by far not the worst of the government bodies audited over the past few years.
Only four entities have been found to comply with the government's requirements for information security.
The Australian Federal Police and the Australian Bureau of Statistics were assessed as vulnerable to cyber attacks - a lower category - in previous assessments.