ATO admits SAN outage made it less secure

While the Australian Taxation Office (ATO) has been improving its security stance since the Australian National Audit Office (ANAO) declared it had insufficient protection against external threats, its storage hardware problems have seen the agency head backwards on one front.

In a submission [PDF] to the Joint Committee of Public Accounts and Trust that is following up on ANAO report, the ATO admitted it needed to disable some whitelisting in the wake of an series of outages begun in December that were described as a result of a world first hardware issue.

"Whilst the ATO was fully compliant in November 2016 with whitelisting our Windows based servers, our current levels of compliance have been impacted by the ATO's recent SAN outages," it said.

"In support of the full restoration and remediation program, whitelisting on a range of servers needed to be disabled and re-enabled as the restoration progresses. We have plans in place to progressively re-enable whitelisting in coming months taking into account tax time activities."

The hardware issue also pushed back the ATO's patch cycles, and whitelisting is set to be in place again by June.

The tax agency said it is set to receive external advice on its security structure and adherrance to the Australian Signals Directorate's guidance in October 2017.

Last week the ATO revealed it had received 136 complaints since its outages began in December, and needed to call upon specialised SAN engineers from both within and outside Australia, as well as engineers from SAN provider Hewlett Packard Enterprises, and its own staff.

The ATO appointed PwC to conduct an independent review into the long-running incident at the end of January, with the ATO conducting a Post Incident Review of its response to the December and February incidents; and HPE is also undertaking its own "root cause review".