A Western Australian government audit has exposed critical Microsoft 365 security failures across seven state entities, leading to a data breach that leaked information on minors and a separate business email compromise incident resulting in the theft of $71,000 through fraudulent invoices.
Google's March 2026 Android update patches a critical zero-day (CVE-2026-21385) in Qualcomm chips used in hundreds of millions of devices. The flaw, under active exploitation, allows privilege escalation and system compromise, posing a significant risk to users.
Ayar Labs has secured $500 million in a Series E round to scale its co-packaged optics technology. Backed by NVIDIA and AMD, the company is replacing traditional copper interconnects with light-based data transmission to solve the growing power and bandwidth crisis in AI data centres.
A Western Australian government audit has exposed critical Microsoft 365 security failures across seven state entities, leading to a data breach that leaked information on minors and a separate business email compromise incident resulting in the theft of $71,000 through fraudulent invoices.
Cyber News Centre's cyber update for 10th March 2026: The Western Australian government has been hit by significant security failures, with a state audit revealing that poorly configured Microsoft 365 controls led directly to a data breach involving children's information and a separate $71,000 invoice fraud.
The Western Australian Office of the Auditor General (OAG) is a statutory body responsible for auditing the state's public sector. It provides independent information and assurance to Parliament on the financial integrity and performance of state and local government entities, ensuring accountability and transparency in the use of public resources.
Update: A damning report from Western Australia's Office of the Auditor General, released March 6, has exposed systemic failures in Microsoft 365 security across seven unnamed state government entities. The audit, which assessed over 160 security settings per agency, uncovered two major incidents directly caused by these weaknesses. In one case, sensitive personal data of 32 individuals, including minors, was leaked after an entity shared it with a third-party provider whose Dropbox account was subsequently compromised.
The agency lacked any data loss prevention (DLP) controls to detect or contain the breach. In a separate incident, a senior officer's M365 account was compromised via a phishing attack that exploited weak multifactor authentication (MFA). The attacker registered their own device, studied the officer's emails for weeks, and successfully orchestrated a business email compromise (BEC) attack, sending fraudulent invoices that resulted in a $71,000 theft. The audit found that none of the seven entities had implemented DLP broadly, all allowed data storage on unmanaged services like Dropbox and Google Drive, and all relied on weak, phishable MFA methods like SMS codes, which were responsible for 58% of Australian government security incidents in 2024-25.
Why it Matters: This audit provides a concrete link between baseline security negligence and significant real-world harm, including financial loss and the exposure of children's data. The findings demonstrate that even with established policies, a failure to implement and monitor technical controls renders government agencies highly vulnerable.
The report draws a direct parallel to the 2022 Medibank breach, which also originated from a compromised personal device, highlighting a persistent, unaddressed attack vector across Australian institutions. For citizens, it confirms that sensitive data held by the government is not being adequately protected, eroding public trust. For other government agencies and businesses, it serves as a stark warning that reliance on default or poorly configured cloud security settings is an invitation for attack. The fact that one entity has still not remediated the controls that led to a $71,000 loss underscores a critical gap between identifying and fixing fundamental security flaws, leaving the door open for repeat incidents.
Get the stories that matter to you.
Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Google's March 2026 Android update patches a critical zero-day (CVE-2026-21385) in Qualcomm chips used in hundreds of millions of devices. The flaw, under active exploitation, allows privilege escalation and system compromise, posing a significant risk to users.
Global legal intelligence giant LexisNexis has confirmed a significant cloud data breach after hackers exploited a vulnerable application, exfiltrating 2GB of data. The incident exposed details on enterprise clients, including law firms and government agencies, raising serious supply chain concerns.
Tehran-linked hackers are turning a distant war into a live resilience test for Australia, probing Five Eyes networks as local banks quietly move to high alert while hybrid warfare becomes a “when, not if” cyber disruption scenario.
Five Eyes nations, led by Australia's ASD, have issued an urgent warning for a critical zero-day (CVE-2026-20127) in Cisco's SD-WAN products. The flaw, actively exploited since 2023 by a sophisticated actor, allows for complete network takeover and impacts critical infrastructure globally.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!
