Vic gov supplier bank details altered in cyber attacks

Victorian government departments have had the bank details of suppliers that are held in a central database altered by hackers four times in the space of a year-and-a-half.

The Victorian Auditor-General’s Office (VAGO) said [pdf] it received four notifications of bank details being changed in departments’ vendor master files due to a cyber attack.

A vendor master file is a central database that holds information about an agency’s supplier details, including their bank account details, Australian Business Number (ABN) and invoice records, according to the office.

VAGO declined to provide further comment about the cyber attacks when contacted by iTnews, citing confidentiality.

However, it used the report to urge Victorian departments to adopt data and analytics to detect “fraud and corruption risks”.

Two departments that were audited, the Department of Jobs, Skills, Industry and Regions (DJSIR) and the Department of Transport and Planning (DTP) currently use data analytics to “proactively identify fraud and corruption risks” prior to awarding supplier contracts.

DTP, for example, uses "specialised software to identify and reduce fraud and corruption risks", which the audit said checks suppliers' details to make sure they are up to date and legitimate and their bank details against employees' bank details.

This approach should be adopted more widely, the report said, recommending that departments “set up regular data analytics reviews to assess their procurement activities for fraud and corruption risks”.

“At a minimum, this involves collating and centralising data so they can export and review it,” VAGO added.

Three departments said they aimed to set up a data analytics program to test their fraud and corruption vulnerabilities but have yet to do so “due to competing priorities and a lack of resources”.