Queensland Government Cybersecurity Weaknesses Exposed in New Audit
A recent audit has revealed significant cybersecurity vulnerabilities within several Queensland government entities, highlighting a lack of awareness regarding third-party risks and insufficient contract management practices. The Queensland Audit Office (QAO) report, tabled on March 26, 2026, found that auditors were able to gain unauthorized access to sensitive information in two of the three entities tested – a state government department, a statutory body, and a local government entity.
Third-Party Access and Vulnerabilities
The audit demonstrated a concerning level of access granted to third-party users. According to the report, auditors were able to obtain passwords, access systems, and extract sensitive information beyond the intended scope of their authorized access. In two instances, controls were bypassed, granting the highest level of access to the entities’ IT environments. This underscores a critical weakness in how these organizations manage their relationships with external vendors and service providers.
Contractual Gaps in Cybersecurity Requirements
A key finding of the audit was the inadequacy of cybersecurity requirements within contracts. Only two out of 36 contracts reviewed mandated that third parties report cybersecurity incidents and vulnerabilities. This lack of oversight leaves Queensland government entities vulnerable to attacks originating through their supply chain, as they remain unaware of potential risks.
Risks Highlighted Years Prior
The QAO report also noted that the Commonwealth’s cybersecurity agency had been flagging these risks as early as 2021. Despite these warnings, the Queensland government has been slow to develop a comprehensive framework for managing third-party cybersecurity risks across the public sector.
Departmental Responses and Recommendations
Local Government Minister Ann Leahy stated that her department would communicate with each council to emphasize the importance of implementing the audit’s recommendations. However, she also acknowledged potential resourcing and capacity challenges for smaller or resource-constrained councils. Mark Cridland, Director-General of the Department of Housing and Public Works, affirmed his team’s commitment to improving capability in identifying and managing these risks.
The auditor-general has recommended that all public sector entities and local governments:
- Review and update their IT systems.
- Improve the identification of suspicious activity.
- Strengthen contract management practices.
Implications and Future Outlook
The findings of this audit serve as a critical wake-up call for Queensland government entities. Effective management of third-party cybersecurity risks is no longer optional; it is essential for protecting sensitive data, maintaining public trust, and ensuring the continuity of essential services. Addressing the identified vulnerabilities and implementing the auditor-general’s recommendations will be crucial steps in bolstering the state’s overall cybersecurity posture.
Further information on managing third-party cyber security risks can be found on the Queensland Audit Office website.