Noosa Council says it has recovered some of the $2.3 million it lost to last year’s “calculated fraud attack”.
In an update provided by council CEO Larry Sengstock, he said a further $200,000 had been reclaimed, bringing the total amount recovered to $640,000.
“This reduces the original $2.3 million loss to $1.7 million,” he said.
“I want to reassure the community that while this is a lot of money, it’s had no impact on the delivery of council projects or services. The services you rightly expect and rely on have not been affected.”
The “well-organised cyber fraud” occurred in December 2024 but the council did not tell ratepayers for more than 10 months.
Mr Sengstock also gave an update about how the incident happened.
“This was not a cyber security attack. There was no breach of council’s system and no personal data taken,” he said.
“In this case, the criminals used sophisticated social engineering tactics to impersonate a legitimate supplier and manipulate staff into changing banking and contact details.
“While human error played a part, as CEO, I take full responsibility, with the wellbeing of our staff a high priority.
“Our team works hard for you every day and deserves respect and kindness as we learn from this incident and move forward.”
Mr Sengstock said an updated report to the community would be tabled at today’s ordinary meeting of council.
He steps had been taken to improve council processes since the attack, including third-party payment protection software to validate banking details; conducting regular mandatory cyber-fraud training for staff; and establishing an independent, risk-based financial accountability program.
“We have met all reporting obligations and implemented every recommendation from the Queensland Audit Office,” he said.
The matter has been investigated by Queensland Police and the Joint Policing Cybercrime Coordination Centre.
