Department of Treasury and Finance executives appeared before parliament’s Budget and Finance Committee this morning to provide an update on a data breach affecting around 14,000 members of the state’s public sector superannuation fund.

Treasurer Stephen Mullighan informed parliament of the breach on Wednesday, October 18.

The cyberattack targeted a call centre that had been contracted by Super SA to field calls from members affected by a 2019 data breach, Mullighan said.

Today, Treasury Department CEO Rick Persse said the Department of Premier and Cabinet (DPC) detected a data threat on the dark web on August 18.

“We were advised on the 8th of September that the information had been taken down and there was no trace of that information that DPC’s cybersecurity team could detect anywhere on the dark web or the light web,” he told the committee.

Asked where it was taken down from, Persse said: “I feel like I’m in a Jason Bourne novel – I’m told the threat was removed from the dark web.”

Later, Treasury Department chief services officer Scott Bayliss said DPC first detected the dark web threat on August 18.

“It was discovered by DPC on the 18^th of August, and we were advised that it was removed on the 8^th of September,” he said.

Asked what data was available on the dark web, Bayliss said: “We’re advised it includes file names, a random list of file names not identifying they were Super SA files or a South Australian government agency’s files.”

“The data in the unencrypted file was predominantly names, addresses, date of birth, but there was some level, for some members, other information like driver’s license numbers.”

Bayliss said the call centre company from which the data was stolen, Contact 121, was mentioned in the data release but not Super SA or the South Australian government.

“It was a random list of file names and the Contact 121 organisation was referred to,” he said.

A “threat organisation” called NoEscape was behind the attack, Bayliss said.

Persse said it was difficult to ascertain the extent and type of data that was available on the dark web.

“It’s very difficult to access data that’s encrypted on the dark web,” he said.

“It’s quite possible that a high-level summary of the data… which is a list of sample file names which was eventually given to Super SA on the 21^st of September was the only data that was released.

“It’s very hard to be precise on that, but what we do know is that the threat was removed from the dark web on the 8^th of September.”

Persse said the government believes the perpetrator is an “overseas actor”.

He also said the government did not pay a ransom to remove the threat from the dark web, although he was unaware whether the company did.

An earlier version of this story stated that the Super SA data was on the dark web for three weeks. Persse clarified afterwards that the “threat from the cyber threat actor was up for a period of three weeks, not the data itself”.