It took eight days to remove the bad guys from the parliamentary network, according to evidence given to the Senate Finance and Public Administration last Thursday.
The Department of Parliamentary Services (DPS) became aware of the breach on January 31, and called in the Australian Signals Directorate (ASD) for help. The attackers were removed on February 8.
What happened in the intervening eight days?
"At this point I have to say that, given this forum, I am unable to go into any further detail," said the President of the Senate, Senator Scott Ryan.
Ryan tabled a report on the incident. The report itself has not yet been published, but his verbal evidence reveals disturbing gaps in DPS defences and procedures.
"While I do not propose to discuss operational security matters in detail, I can state that a small number of users visited a legitimate external website that had been compromised," Ryan said.
"This caused malware to be injected into the Parliamentary Computing Network."
Ryan said he released this information as a "salient warning" for users to be "cautious and vigilant when clicking on any documents, attachments or links that are outside of our environment".
While two affected senators had been contacted by phone, the rest of the "several thousand people who access the network" were sent a notice to reset their passwords -- via the very network that they'd just been locked out of.
As Senator Kimberley Kitching quite rightly noted: "If the department knew that the system was down, why send out an email to a system that wasn't accessible? That's a little problematic."
"No, we were fully aware," said Ryan.
"That would not make sense," said Kitching.
"It was done in full consultation with the Speaker [of the House of Representatives] and myself," Ryan said. "There was no other alternative given the advice that we received required the wholesale network password reset."
Extra tech support staff had to be brought in to handle the calls.
"We really can't go into, in a public forum, more details of the stages of what happened or explanation for various reasons," Ryan said.
Kitching then noted: "At the time there was a suggestion made to DPS that DPS might acquire our mobile numbers and contact people that way."
Ryan's response: "There has been work with whips, I think, looking into that. That's currently, at least in my experience, still under discussion with whips."
That's right, nine months after the breach there doesn't seem to be a list of all users' phone numbers. That makes this next revelation even more worrying. Or amusing, depending on your personal philosophy.
Ryan also noted that "our computer asks us to change our password for good security reasons quite often", despite that now being contrary to best practice.
One of the documents tabled was a form titled "Authority to reset parliamentarians' passwords", a form not issued until February 15, a full fortnight after the breach was discovered.
"From memory, the purpose of that authorisation was to enable parliamentarians to provide formal authority for passwords to be changed on parliamentarians' behalf by their staff," said DPS secretary Robert Stefanic.
"In the past, there had been ad hoc approaches by email and phone. This was an attempt to formalise that process."
In other words, staff could call or email to reset a parliamentarian's password, and be told that password. Obviously anyone pretending to be staff could do the same.
"The exact process we use to verify the identity I will take on notice and provide more information on," said Ian McKenzie, the DPS chief information security officer.
In general terms, there are "number of ways that security is verified", he said.
"If we see a phone call come from that office, for example, then it verifies at least that that is the extension and the call is coming from the verified senator or member's office -- and the same with electorate offices."
DPS had reassured us in March that the attack was detected early, although it admitted that it still had work to do on fighting external threats. On Thursday's evidence that would certainly seem to be the case.