PNG Tax Office Cyberattack – What It Means for Businesses & Government

The Internal Revenue Commission of Papua New Guinea was hit by a major ransomware attack. The government’s tax agency saw its network and email systems shut down, disrupting operations. The Commissioner General, Sam Koim, confirmed that some data was accessed but assured the public that taxpayer records remained secure.

However, this cyberattack exposes the alarming reality—PNG’s government IT infrastructure is outdated, under-protected, and an easy target for hackers.

This isn’t just about PNG. If a nation’s tax office can be breached, then businesses, banks, and government agencies worldwide should take this as a warning sign.

What happened, why it matters, and what the PNG government and businesses must do to fix this now.

Welcome to the Don’t Be A Sitting Duck Podcast. I’m Leigh Kefford—let’s dive in.

PNG Tax Office Cyber Attack

On January 28, 2025, the IRC’s network was encrypted by ransomware, bringing its email and internal systems to a halt.

What saved them? The tax processing system, SIGTAS, was backed up separately and restored. But it could’ve been much worse.

The attackers targeted the IRC’s virtualization servers, meaning all stored data was at risk.

The PNG government refused to pay the ransom and worked with KPMG’s cybersecurity team to recover.

Critical data security measures were missing—leaving PNG’s digital infrastructure at risk.

This attack highlights a major issue. PNG has a cybersecurity framework in name, but in practice, it’s failing to protect critical infrastructure.

Here’s why this attack happened.

The PNG government relies on outdated IT systems with weak cybersecurity controls.

There are no mandatory security regulations enforcing multi-factor authentication, endpoint protection, or breach reporting.

PNG lacks cybersecurity-trained professionals, making response efforts slow and ineffective.

Why it matters.

If government tax systems are vulnerable, so are banks, businesses, and citizen records.

This wasn’t an isolated incident—it’s a warning of future attacks on PNG and other developing economies.

Cybercriminals now know PNG is an easy target—if serious changes aren’t made, more attacks will follow.

If you run a business in PNG—or anywhere else—this attack is a wake-up call. Here’s how to secure your company.

ACTION ITEMS:

1. Implement Zero Trust Security—never trust any connection without verification.
2. Enable Multi-Factor Authentication on all accounts—it stops phishing and credential theft.
3. Deploy Advanced Threat Detection—use Endpoint Detection and Response and Dark Web Monitoring.
4. Train Employees Regularly—conduct phishing simulations and awareness training.
5. Have an Incident Response Plan—test disaster recovery and ransomware response before it’s too late.
6. Backup Your Data Securely—use air-gapped, encrypted backups with regular testing.
7. Conduct Regular Security Assessments—identify and fix vulnerabilities before they are exploited.
8. Restrict Admin Privileges—use Role-Based Access Control and limit high-risk permissions.
9. Secure Remote Access—require VPNs, Zero Trust Network Access, and endpoint security for remote work.
10. Stay Updated—apply patches and security updates immediately to prevent exploitation.

This attack proves that PNG’s cybersecurity policies are not enough.

Here’s what the government must do to prevent future cyberattacks.

ACTION ITEMS FOR GOVERNMENT:

1. Create a PNG National Cybersecurity Strategy—implement a mandatory security framework and upgrade outdated government systems.
2. Establish a Cybersecurity Task Force—combine government agencies, financial institutions, and telecom providers to share threat intelligence.
3. Pass a National Cybersecurity Law—enforce breach reporting rules and minimum security standards for critical infrastructure.
4. Develop a Cybersecurity Workforce Training Program—partner with universities and private sector organizations to train local cybersecurity professionals.
5. Modernise Government IT Infrastructure—migrate government systems to secure cloud platforms and implement Zero Trust security.
6. Require Multi-Factor Authentication for Government Services—prevent unauthorised access to critical systems.
7. Launch a Public Cybersecurity Awareness Campaign—educate businesses and citizens about phishing, ransomware, and scams.
8. Strengthen Incident Response Capabilities—create a national Cyber Incident Response Team for coordinated responses.
9. Increase Cybersecurity Funding—allocate government resources to improving cybersecurity resilience.
10. Enforce Essential Eight Cybersecurity Controls—require all government agencies and critical infrastructure providers to follow best practices.

The time for PNG to act is now. If no action is taken, cybercriminals will keep attacking.

That’s a wrap for today’s episode!

Want more cybersecurity insights? Head over to sittingduck.com.au for show notes, resources, and the latest updates.

Thinking about your business security? Here’s what to do next.

Book your free Empower Systems Assessment to uncover vulnerabilities and learn how to strengthen your defenses.

Listen to my audiobook, Sitting Duck – The Phone Call You Don’t Want to Receive—a real-world look at Business Email Compromise. Available now on Spotify and leading audiobook platforms.

Until next time—stay safe, stay informed, and don’t be a sitting duck!