WA Government Data Breach and $71,000 Fraud Highlight Microsoft 365 Security Risks

A recent report from the Western Australian Office of the Auditor General has revealed serious cyber security weaknesses across several state government organisations. The report found that poor security configuration in Microsoft 365 environments contributed to two major incidents: the exposure of sensitive personal data involving minors and a fraud attack that resulted in the loss of $71,000.

The findings highlight how gaps in cyber security controls, weak authentication methods, and insufficient monitoring can create opportunities for attackers.

Personal Information of Minors Exposed

One of the incidents described in the report involved a government entity sending sensitive personal information about 32 individuals, including minors, to a third-party service provider via email.

The service provider later uploaded this information to a cloud storage account on Dropbox. That account was subsequently compromised in a cyber security incident, exposing the data to an unknown threat actor.

Investigators found that the government entity had not implemented Data Loss Prevention (DLP) controls within its Microsoft 365 environment. Without these controls, the organisation had no way of detecting when sensitive information left its systems or determining the full extent of the exposure.

The audit also found that the organisation had not conducted a security assessment of the third-party service provider before sharing sensitive data with them.

Phishing Attack Resulted in $71,000 Fraud

The report also outlined a targeted phishing incident involving a senior officer whose Microsoft 365 account was compromised.

Attackers exploited weak multi-factor authentication (MFA) controls and registered their own device from an unmanaged overseas location. This allowed them to gain access to the account without triggering any security alerts.

Once inside the account, the attacker created email forwarding rules to hide their activity from the account holder. They then spent weeks analysing the officer’s email history to understand normal communication and payment processes.

Using this information, the attacker sent fraudulent invoices that appeared legitimate. These invoices were processed before the fraud was detected, resulting in a loss of $71,000.

Although the organisation was able to recover the funds through insurance and banking processes, investigators were unable to complete a full forensic investigation because sufficient system logs had not been retained.

Security Weaknesses Found Across Multiple Entities

The audit examined Microsoft 365 security settings across seven government entities and identified multiple security gaps.

None of the organisations had fully implemented Data Loss Prevention controls across Microsoft 365 services such as OneDrive, SharePoint, Exchange, Teams, and the Power Platform.

Employees were also allowed to store work data on unmanaged external services including Dropbox, Facebook, and Google Drive. Without technical controls to restrict this behaviour, sensitive information could be transferred outside official systems without detection.

Weak Authentication Methods Increased Risk

Another key finding in the report was the use of weaker forms of multi-factor authentication.

Several entities relied on SMS messages, voice calls, or email one-time passwords for authentication. According to the Australian Signals Directorate, these methods are more vulnerable to phishing and social engineering attacks.

The report noted that weak MFA methods were responsible for a large portion of cyber security incidents affecting Australian government organisations.

Additionally, personal devices were allowed to register for authentication without being enrolled in device management systems, which increases the risk of attackers registering their own devices to compromised accounts.

Other Security Gaps Identified

The audit identified several other security concerns.

Staff were able to install unapproved Microsoft Teams applications and use external code within Power BI tools. This creates the possibility that vulnerable or malicious applications could be introduced into the environment.

Some organisations also allowed users to create their own Microsoft 365 tenants and assign themselves administrative privileges.

In other cases, employees could invite external guests to access sensitive data without administrator approval, increasing the risk of accidental or intentional information leakage.

Logging practices were also insufficient in some entities. Cyber security guidance recommends retaining logs for at least 18 months to support monitoring and investigations, yet some organisations were only keeping logs for six months.

Lessons from Major Cyber Incidents

The report also noted similarities with the 2022 Medibank data breach, which began after attackers gained access through a compromised personal device used for authentication.

That breach eventually exposed the private health records of nearly 10 million Australians and demonstrated how weaknesses in authentication and monitoring can lead to large-scale data exposure.

Strengthening Microsoft 365 Security

To reduce these risks, the report recommends that organisations implement stronger cyber security controls. These include phishing-resistant multi-factor authentication for privileged users, restricting where organisational data can be stored, implementing Data Loss Prevention controls across Microsoft 365 services, and performing security assessments before granting third-party vendors access to sensitive information.

Organisations are also encouraged to adopt recognised cyber security frameworks such as the Australian Signals Directorate’s Essential Eight.

What This Means for Organisations

These incidents demonstrate that cyber attacks often succeed not because attackers use advanced techniques, but because organisations have gaps in their security controls.

Many workplaces rely heavily on cloud platforms such as Microsoft 365 for communication, collaboration, and data storage. Without proper security configuration and employee awareness, these systems can become entry points for attackers.

Improving cyber security requires both strong technical controls and employees who understand how to recognise threats such as phishing emails and fraudulent payment requests.

How CyberLit Can Help

CyberLit supports organisations in strengthening workplace cyber security through education and practical security assessments.

For organisations seeking to reduce the risk of phishing attacks, fraud, and data breaches, CyberLit provides training and security assessment services designed to improve everyday cyber security practices.

Contact: info@cyberlit.com.au