Cyber crime

Report: VIC gov’s vendor payment details altered in cyberattacks

Shanna Hall
3 Min

Over the past eighteen months, Victorian government departments have faced a series of cyberattacks that altered vendors’ bank details held in a central database. According to a report by the Auditor-General’s Office (VAGO), there were four notifications of such changes in vendor master files. 

The concerning revelation comes as part of a wider audit and report on the VIC government’s procurement processes, which concluded that, “All departments have processes for investigating fraud and corruption incidents when they have been alerted to them. But only two departments use data analytics to flag unusual or suspicious activity to proactively detect risks.”

The report further breaks down the discrepancies between departments and their anti-fraud control procedures, urging slow adopters to consider more proactive, technology-enabled ways to monitor fraud risks.

What was altered in the VIC government cyberattacks? Understanding vendor master files

A vendor master file (VMF) is a database containing detailed information about an agency’s suppliers, including bank account details, Australian Business Numbers (ABNs), and invoice records. It’s foundational to everything from business-to-business transactions to tax and GST reporting. Most crucially for VAGO’s auditing scope is the central role that VMFs play in secure, transparent financial transactions – which is why the file needs to be protected with robust data protection policies and anti-fraud controls.

However, the recent report and the cyberattacks illustrate just how few organisations have appropriate guardrails and protections for this data. And government agencies aren’t alone – at Eftsure, we know from experience that many businesses don’t keep clean VMFs or design control procedures to keep the information secure. This isn’t because those businesses are lazy or negligent, it’s because keeping VMFs up-to-date manually is a time-consuming, labour-intensive process.

While the problem is understandable, it still creates vulnerabilities that cybercriminals are keen to exploit. Researchers have even flagged that scammers are using malicious artificial intelligence (AI) tools to alter key financial information more quickly and efficiently than ever.

So it’s no surprise that VAGO is urging VIC departments to rethink and beef up their anti-fraud procedures.

VAGO encourages departments to adopt technology solutions for detecting fraud risks

VAGO used its report to stress the importance of adopting data and analytics to detect fraud and corruption risks. According to its report, this proactive approach is already being employed by some departments but needs broader implementation across the board.

Two departments that have set an example are the Department of Jobs, Skills, Industry and Regions (DJSIR) and the Department of Transport and Planning (DTP). According to the VAGO report, these departments currently utilise data analytics to proactively identify fraud and corruption risks before awarding supplier contracts. For instance, DTP employs specialised software that verifies the legitimacy of suppliers’ details and checks bank account information against employees’ bank details. This thorough scrutiny helps to mitigate the risks of fraudulent activities.

VAGO’s report recommends that all departments adopt regular data analytics reviews to assess their procurement activities for potential fraud and corruption risks. At a minimum, this involves collating and centralising data for thorough export and review processes.

The report also highlights that three departments have yet to implement a data analytics program to test their fraud and corruption vulnerabilities, with departments citing competing priorities and a lack of resources as the main obstacles.

Eftsure partnership
See how the right tech solution can keep your finances safe
Scammers and hackers are already leveraging technology to defraud your organisation. Why let them retain the upper hand? Explore how Eftsure's solution can help safeguard your entire procure-to-pay lifecycle.

Related articles

Cyber crime

A guide to cyberattack protection

On average, a cyberattack occurs every 10 minutes in Australia with small to medium enterprises (SMEs), education, healthcare and government the most …

Read more

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.