Peter A Clarke

The Privacy Commissioner has issued a media release announcing a privacy breach by AAPT.  The breaches involved failing to adequately protect data from unauthorised access, a hacking attack.  As it transpires AAPT failed to destroy or de identify old data it held.

The media release (found here) provides:

In July 2012, AAPT customer data held on servers hosted by IT contractor Melbourne IT, was hacked and published online.

‘While I appreciate the speed and the way in which AAPT responded to the incident, it highlights the importance of having appropriate security systems and contractual arrangements in place to avoid a breach such as this,’ Mr Pilgrim said.

‘Organisations should ensure that contracts with IT suppliers are clear about which party has responsibility for identifying and addressing data security issues.’

‘More should have been done to appropriately manage and protect the information involved. Using older versions of applications and software when newer versions are available is a risk that needs to be actively managed, particularly when personal information is involved.’

The compromised server held a series of websites and databases that included personal information about AAPT business customers used to verify the identity of customers and provide a quoting and billing system for AAPT sales staff. The personal information included information collected for the purpose of obtaining credit reports of AAPT business customers and information used for the purpose of transferring telephone numbers from other telecommunications carriers.

‘It was also concerning that the compromised servers contained old customer information that was no longer needed by AAPT,’ Mr Pilgrim said.

‘Holding onto old personal information that is no longer needed does not comply with the Privacy Act and organisations which do so are needlessly placing themselves in a position of risk.’

The Commissioner made a number of recommendations to AAPT including implementing regular training for staff in relation to data retention and destruction, ensuring all IT applications are subject to vulnerability assessment and testing, as well as ensuring effective lifecycle management, and conducting regular audits of AAPT’s IT security framework. AAPT has implemented these recommendations.

Current privacy laws do not give the Commissioner the power to impose any penalties or seek enforceable undertakings from organisations investigated on his own initiative.

‘New privacy laws in force from 12 March 2014 will give me additional powers and remedies when conducting such investigations.  From that date I will be able to obtain enforceable undertakings from organisations and, in the case of serious or repeated breaches seek civil penalties,’ Mr Pilgrim said.

The own motion investigation (found here)  provides:

Overview

On 6 August 2012, the Australian Privacy Commissioner (the Commissioner) opened an own motion investigation into AAPT Ltd (AAPT) and Melbourne IT Ltd (Melbourne IT) in response to media reports that a server holding AAPT customer information had been compromised by the hacker group Anonymous.

The Commissioner’s investigation focused on whether AAPT and Melbourne IT took reasonable steps to protect customer information from misuse and loss and from unauthorised access, modification or disclosure.

After considering the facts of the case, submissions from AAPT and Melbourne IT and the relevant provisions of the Privacy Act 1988 (Privacy Act), the Commissioner came to the view that AAPT had breached the Privacy Act by failing to take reasonable steps to secure the personal information it held. The Commissioner also found that the compromised servers contained some old customer information and that AAPT had failed to comply with its obligation to destroy or permanently de-identify information no longer in use.

The Australian Communications and Media Authority (the ACMA) also carried out an investigation into the incident in relation to AAPT’s compliance with the Telecommunications Consumer Protections Code C628:2007 (the Code). The ACMA found that AAPT contravened clause 6.8.1 of the Code by failing to protect the privacy of small business customers whose personal information was stored in a server which was the subject of unauthorised access.

 Background

On 26 July 2012, the Commissioner received information which indicated that a server on which AAPT data was held was accessed by Anonymous between 17 and 19 July 2012, with unauthorised data transfers occurring from 20 July 2012 to 22 July 2012. Subsequently, AAPT data was published by Anonymous on the internet.

The AAPT data was held on a server managed by WebCentral Pty Ltd, a webhosting business unit of Melbourne IT. Melbourne IT identified the incident after becoming aware of the attack by Anonymous on other servers it operated. It notified AAPT of the incident on 25 July 2012 and on the same day AAPT disconnected from the Melbourne IT network and took immediate steps to ensure the data could not be further compromised.

The compromised server held a series of websites and databases that included personal information about AAPT business customers used to verify the identity of customers and provide a quoting and billing system for AAPT sales staff. The personal information included information collected for the purpose of obtaining credit reports of AAPT business customers and information used for the purpose of transferring telephone numbers from other telecommunications carriers.

 Relevant provisions of the Privacy Act

Organisations covered by the Privacy Act must comply with ten National Privacy Principles (NPPs) contained in Schedule 3 of the Act. The NPPs apply to the handling of ‘personal information’ which the Privacy Act defines as:

information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

The Privacy Act applies to all private sector organisations with an annual turnover of more than $3 million and some small businesses. Both AAPT and Melbourne IT are subject to the Privacy Act and the NPPs.

NPP 4 (Data security) and NPP 2 (Use and disclosure) were the Privacy Act provisions relevant to this incident. In particular:

• NPP 4.1 requires organisations to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure
• NPP 4.2 states that, if an organisation no longer needs personal information for any purpose under NPP 2, then the organisation must take reasonable steps to destroy or permanently de-identify it
• NPP 2.1 provides that an organisation may only use or disclose personal information for the primary purpose of collection, unless an exception applies.

 Findings

Security of personal information (NPP 4.1)

In determining whether there had been a breach of NPP 4.1, the Commissioner considered which organisation ‘held’ the AAPT customer information and whether that organisation took reasonable steps to protect the information from unauthorised access, modification or disclosure.

Which organisation ‘held’ the personal information for the purposes of NPP 4.1

NPP 4.1 applies to personal information ‘held’ by an organisation. Information is held by an organisation where it has physical possession of the data or the right or power to deal with the information even if it does not physically possess or own the medium on which the information is stored.

The Commissioner took the view that AAPT held the information for the purposes of NPP 4.1, despite it being stored on Melbourne IT’s server. This meant that AAPT had an obligation to comply with NPP 4.1 in relation to the information.

Whether reasonable steps were taken to secure the personal information

The Commissioner then considered whether AAPT had reasonable steps in place to protect the security of the information. [1]

A contract between AAPT and WebCentral signed in 2005 stated that the server was to be fully managed and maintained on the customer’s behalf, ‘with the exception of custom application content and data’, which was to be the responsibility of AAPT.

Data on the server managed by WebCentral was accessed by Anonymous via the ‘Cold Fusion’ application installed on the server. Anonymous was able to exploit a vulnerability in the application to gain access to the data. Melbourne IT described Cold Fusion as a ‘customer managed application.’ In Melbourne IT’s view, it was AAPT’s responsibility to update applications when newer versions became available. Melbourne IT took responsibility for keeping existing applications patched. At the time of the incident, security patches were up to date on the Cold Fusion application, but several newer versions of Cold Fusion were available, the most recent of which had security features that may have prevented the attack by Anonymous.

The 2005 contract between AAPT and WebCentral contained some provisions requiring WebCentral to have security arrangements in place for data held on the server. However, the contract did not require that:

• the data on the server be appropriately assessed and classified to determine whether it included personal information and the sensitivity of that information
• existing or emerging security risks in connection with the Cold Fusion application be identified and addressed or
• vulnerability scanning and effective lifecycle management of the Cold Fusion application occur.

Moreover, it was not clear that AAPT was aware of what personal information was contained on the server; what Cold Fusion applications were installed and which part of the server these applications related to; and who was responsible for the maintenance and lifecycle management of the Cold Fusion application that was exploited by Anonymous.

In considering these factors, the Commissioner came to the view that AAPT failed to take its own steps to appropriately manage and protect the information and did not have adequate contractual measures in place to protect the personal information held on the compromised server. AAPT continued to use a seven year old version of Cold Fusion which was generally known to have vulnerabilities when newer versions were available.

Therefore, the Commissioner found that, in this instance, AAPT did not take reasonable steps to protect the personal information it held from misuse and loss and from unauthorised access, modification or disclosure, in contravention of NPP 4.1.

Recommendations

To address the issues identified above, the OAIC recommended that AAPT:

• conduct regular reviews of all IT applications held internally or with external providers to ensure AAPT is aware of applications held
• take steps to ensure all IT applications held internally or externally which hold or use personal information are subject to vulnerability assessment and testing, regular vulnerability scanning and have effective lifecycle management
• clearly allocate responsibility for lifecycle management of applications
• conduct regular audits of AAPT’s IT security framework to ensure that security measures are working effectively, and that policies and procedures relating to data security are being complied with
• undertake further training for IT staff and relevant business units to increase their understanding of their data security obligations (including lifecycle management of IT applications), data security risks and threats, and the importance of following AAPT’s policies and procedures that relate to data security
• undertake steps to ensure appropriate classification of data it holds either internally or externally, including whether it includes personal information and the sensitivity of that information
• review the terms of the contracts it has with IT suppliers that hold or manage AAPT data to ensure clarity around which party has responsibility for identifying and addressing data security issues (such as vulnerabilities associated with old versions of IT applications).

AAPT has implemented these recommendations by establishing an Information Management and Security Framework to ensure appropriate classification of data and to regularise risk assessments of information management and security practices. The Framework incorporates policies on: information life cycle management; physical and environmental security; internal security governance (such as IT security, email, network and systems security, third party provider security and change management); and information security incident management.

AAPT has also carried out an audit of contractors to assess the type of information held and any vulnerabilities relating to data security. The audit also assessed the sensitivity of data held by AAPT and measures in place to ensure secure storage or deletion where appropriate. AAPT has also introduced a program to identify and rectify software vulnerabilities and to ensure regular testing of network and firewall security.

To ensure staff understand their data security obligations, AAPT has established an Information Security Awareness and Training Policy and has rolled out an online Privacy and Information Security Policies training program to all AAPT staff.

Retention of personal information (NPP 4.2)

During the investigation, AAPT confirmed that not all of the compromised data was in use at the time of the hacking incident. NPP 4.2 requires organisations to take reasonable steps to destroy or permanently de-identify personal information that is not being used or disclosed for any purpose under NPP 2. To comply with this obligation, an organisation must develop systems or procedures to identify information the organisation no longer needs and a process for how the destruction or de-identification of the information will occur.

AAPT’s Information Management Policy, Information Management Guidelines and Data Storage for Archive and Back up Standard outline the data retention system operating at AAPT and also refer to specific retention schedules. It appears that those policies were available on AAPT’s intranet, though there seems to have been low awareness of data retention requirements amongst staff or business units. Data retention policies were not being followed at the time of the incident by the staff involved with the data held on Melbourne IT’s servers and AAPT only became aware of this situation when the hacking incident occurred.

In considering these facts, the Commissioner came to the view that AAPT did not take reasonable steps to destroy or permanently de-identify the personal information that was no longer in use (in contravention of NPP 4.2).

Recommendations

To address the issues identified above, the OAIC recommended that AAPT:

• ensure that there is regular training for staff in relation to data security policies, including data retention and destruction – specifically, any staff who are responsible for information creation, distribution, retention and destruction should be provided with appropriate guidance and training to meet their obligations for each stage of the information lifecycle.

As noted above, AAPT has addressed this recommendation by establishing an Information Security Awareness and Training Policy and rolling out an online Privacy and Information Security Policies training program to all AAPT staff. The training includes guidance in data destruction procedures and the process for retaining and destroying information.

Disclosure of personal information (NPP 2.1)

As part of the investigation, the Commissioner considered whether there had been a breach of NPP 2.1 in relation to the publication, by Anonymous, of AAPT customer information online. NPP 2.1 regulates the use and disclosure of personal information and states that organisations may only use or disclose personal information for the primary purpose of collection, unless an exception applies.

In general terms, an organisation discloses personal information when it releases information to others outside the organisation.

Given that AAPT customer data was made public through the malicious actions of Anonymous, the Commissioner came to the view that the publication of the data by Anonymous was not a ‘disclosure’ by AAPT. Therefore, AAPT did not breach NPP 2.1 in these circumstances.

 Conclusion

AAPT acted appropriately in response to the incident by taking the server offline immediately and working closely with Melbourne IT to investigate and rectify the incident. A configuration change to the server by Melbourne IT on 24 July 2012 closed the vulnerability exploited by Anonymous.

Since the incident, AAPT has undertaken an appropriate review of the incident and data involved, and has taken appropriate steps to notify potentially affected customers. All AAPT data storage arrangements have been reviewed by AAPT, either as part of the IT response to the incident or as part of a broader internal audit and review of data storage arrangements.

Following the Commissioner’s finding that AAPT had breached NPP 4.1 and 4.2 in relation to the data held on the compromised server, AAPT has addressed the OAIC’s recommendations.

Based on the information provided by AAPT about its review and remediation of the matter and AAPT’s implementation of recommendations made by the OAIC, the Commissioner decided to close the investigation. The Commissioner also closed the investigation into Melbourne IT, finding the organisation had not breached the NPPs in relation to AAPT customer data.

Should an individual complaint about the matter be received, the OAIC will consider it on its merits and information gathered as part of this investigation will be taken into account in any subsequent complaint process.

 It has been reported in AAPT breaches privacy rules over server hack and AAPT breached Privacy Act, Melbourne IT given all-clear.

The Privacy Commissioner’s findings post date an investigation report of ACMA , by quite a few months, which are found below.  Given the gatekeeper role the Privacy Commissioner has in enforcing the Privacy Act and the commensurate lack of power and individual has in bringing civil action (but for a section 98 proceeding) delays by the regulator in responding to complaints and then ruling on them is a concern.  The benefit of having more enforcement powers is lost if they are not, enforced.

The report provides:

Investigation Report:
Compliance with Clause 6.8.1 of the Telecommunications Consumer Protections Code C628:2007 by AAPT Limited

 

Findings

The Australian Communications and Media Authority (the ACMA) is of the view that AAPT Limited (AAPT) has contravened clause 6.8.1 of the Telecommunications Consumer Protections Code C628:2007 (the TCP Code 2007) by failing to protect the privacy of small business customers whose personal information was stored in a server which was the subject of unauthorised access in July 2012.

Background

1. This report presents the findings of an investigation conducted by the ACMA into an incident which occurred on or around 25 July 2012 (‘the incident’), which raises issues of compliance by AAPT with the privacy provisions of the TCP Code 2007.
2. Under paragraph 510(1)(c) of the Telecommunications Act 1997 (the Act), where it considers it desirable to do so, the ACMA may investigate contraventions of a code registered under Part 6 of the Act, or any matter relating to the performance of the ACMA’s telecommunications functions, or the exercise of the ACMA’s telecommunication powers (except to the extent that the matter relates to the content of a content service)^[1]. The ACMA commenced an investigation into AAPT’s compliance with clause 6.8.1 of the TCP Code 2007 on 24 September 2012.
   1. At the time the incident occurred, the TCP Code 2007 was registered under Part 6 of the Act. Currently, the Telecommunications Consumer Protections Code C628:2012 (the TCP Code 2012) is registered under Part 6 of the Act. Both codes contain rules about how Carriage Service Providers (CSPs) deal with their residential and small business customers. The rules apply to a range of CSP business practices, including the protection of privacy.
   2. AAPT is a wholly-owned subsidiary of Telecom Corporation of New Zealand.
   3. AAPT is a CSP within the meaning of the Act and therefore a Supplier for the purposes of the TCP Code 2007 and the TCP Code 2012. Accordingly, AAPT was required to comply with the TCP Code 2007 at the time the incident occurred, and is currently required to comply with the provisions of the TCP Code 2012 as it applies to AAPT’s dealings with its small business customers[2].
   4. AAPT sold its residential business in September 2010. AAPT’s customer base has since been made up of business customers, including small businesses.
   5. Clause 6.8.1 of the TCP Code 2007 states that a supplier must protect the privacy of each customer’s billing and related personal information.
   6. On 26 July 2012, it was reported in various publications that there had been a security incident where AAPT customer records had been stolen, for example:

Relevant facts

• www.theage.com.au/technology/technology-news/hackers-steal-aapt-customer-data-to-protest-web-spying-proposal-20120726-22tv3.html
• www.theaustralian.com.au/australian-it/aapt-targeted-by-hacker-group-anonymous/story-e6frgakx-1226435876320
• www.zdnet.com/aapt-confirms-data-breach-as-anonymous-claims-attack-7000001564/

1. On 2 August 2012, the ACMA contacted AAPT to obtain information about this incident. On 7 September 2012, AAPT provided the ACMA with a copy of a confidential report titled Investigation into Data Security Incident, which occurred on or around 25 July 2012 (the Report). The Report was prepared by AAPT and provided the ACMA with an outline of the cause of the incident, an explanation of AAPT’s response to the incident and the steps taken by AAPT to prevent a repeat of any similar incident.
2. The Report states that:

(a)  On 25 July 2012, AAPT became aware of a security incident whereby a server (the server) supplied and managed by WebCentral Pty Limited, a subsidiary of Melbourne IT, and on which AAPT data was stored was the subject of an unauthorised hacking attack by a third party. It appears that the political activist group ‘Anonymous’ was responsible for the attack. A subset of the accessed files, containing personal information, were later released on the internet. It appears Anonymous attempted to scramble the disclosed personal data in order to anonymise it, but it is unclear whether Anonymous had been completely successful.

(b)  The server was accessed by Anonymous in the period 17 – 19 July 2012. 8-10 GB of data was transferred from the server by Anonymous in the period 20 – 22 July 2012. Five of the 8-10 GB of data apparently consisted of two files (3.5 GB and 1.5 GB respectively). Based on AAPT’s analysis, it appears that the information released by Anonymous came from these two files.

(c)  The first file (3.5 GB), when uncompressed, was 27GB in total and contained AAPT’s quoting database (named Fusion) which consists of 601 tables of data. The second file (1.5 GB) was found to be corrupt and could not be repaired and read.

(d)  AAPT has been unable to determine what data was contained in the remaining 3-5 GB of transferred data, which means that the data may have come from any of the data (approx.100 GB in total) on the server. AAPT is therefore working on the basis that the entire server may have been compromised.

(e)  An initial analysis of the data known to be copied by Anonymous revealed that some of the personal information contained in the 601 tables, included:

• 11 instances of credit card details; and
• 184 records of drivers licence numbers and dates of birth for AAPT customers who were sole traders.

(f)   AAPT has since conducted a more thorough analysis of the data and has discovered that more personal information was contained in the 601 tables than it had originally thought. An analysis of the 5GB of data known to be copied and the remaining 95GB of data on the server that may have been copied indicates that the following personal information may have been accessed[3]:

• Credit card details            13
• Name                               264,691
• Drivers licence numbers 1,394
• Medicare numbers           2
• Email address                  109,566
• Address                            2,854

(g)  The following combinations of personal information were also identified:

• Name and email               108,376
• Name and Address              2,831
• Name and Mobile               64,035
• Name and Telephone      202,353

(h)  AAPT has to date sent 1,393 notification letters to affected individuals (114 of which have been definitively identified as sole traders). The letters were sent to people who had the following information held in the server:

• financially sensitive data;
• either or both date of birth and licence government issued ID (e.g. drivers licence, passport) in any combination with name, address and contact details, and/or
• password information (not system generated) in any combination with name, address and contact details.

(i)    The root cause of the incident was unauthorised access to the server via a settings vulnerability. The 3.5GB file that was transferred by Anonymous (apparently the source of the released information) was a back up copy of the AAPT Fusion database as at or around 7 July 2011. The personal information was not encrypted or anonymised.

(j)    AAPT’s intention had been to decommission the server once the back-up file had been migrated, but due to an oversight resulting from the departure of key staff and a lack of transparency of applicable processes and policies, this decommissioning had not occurred.

(k)  As soon as it was notified that AAPT data had been accessed and copied as a result of the Incident, AAPT requested that all managed servers at WebCentral which contained AAPT data were to be disconnected from its network. The server that was the subject of the incident remains disconnected from the production network.

(l)    AAPT has liaised with various government agencies including the Australian Federal Police (AFP) to ensure potential harm is mitigated. AAPT is also taking steps to prevent a repeat of any similar incident.

1. Separately, AAPT has outlined to the ACMA actions it has undertaken since the incident, to increase the protection afforded to AAPT customer personal information.
2. Having assessed the evidence and information before it, the ACMA has formed the view that AAPT failed to protect the privacy of the personal information of the small business customers whose billing and related personal information were stored in the compromised server, and has therefore contravened clause 6.8.1 of the TCP Code 2007.

Findings and reasons – Compliance with the TCP Code

Discussion

1. The TCP Code 2007 sets out supplier obligations in relation to small business and residential customers only[4]. The obligations in clause 6.8.1 of the TCP Code 2007 relate to the protection of the “personal information” of those customers.

What is personal information?

1. The term “personal information” is not defined in TCP Code 2007. The ACMA considers it appropriate to adopt the definition used in Commonwealth privacy legislation, which is consistent with the definition adopted in TCP Code 2012.
2. The Privacy Act 1988 defines “personal information” as “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.

Was there a disclosure of personal information relating to residential or small business customers?

1. As the AAPT customers (or former customers) impacted by the incident include medium to large businesses, not all of the data accessed or released would be a matter for consideration under clause 6.8.1 of the TCP Code 2007[5]. However, 114 customers who were identified as being at risk and were notified by AAPT of the incident were identified as sole traders, and therefore the ACMA is of the view that all or most of these are small business customers.
2. Therefore, the ACMA is of the view that the incident resulted in the unauthorised disclosure of personal information relating to some of AAPT’s small business customers.

Clause 6.8.1 of the TCP Code 2007

1. Clause 6.8.1 of the TCP Code 2007 required that AAPT protect the privacy of the billing and related personal information of the small business customers referred to above.
2. As mentioned above, personal information relating to small business customers was the subject of unauthorised disclosure. The ACMA is of the view that the personal information in question included the “billing and related personal information of the relevant small business customers”[6]
3. It is the responsibility of the supplier to protect the relevant personal information. In the ACMA’s view that, in order to protect the relevant personal information, a supplier must establish and comply with appropriate procedures regarding the storage and security of the personal information. Such information should only be accessed by the relevant staff.
4. Telecom Corporation of New Zealand’s documented ‘Information management policy’ and ‘Information management guidelines’ (IMG) apply directly to AAPT. Both were in place prior to the incident.
5. The IMG states that information should only be retained, including information in inactive offsite storage, if required for business needs or to meet legal obligations. Other information “should generally be destroyed”. AAPT also states that according to its policies “it should only store data in a single system”. AAPT has described its policy on the retention and disposal of data. The policy confirms that where there is no business or legal requirement, the information should be destroyed. Also, where a back-up or archive is no longer required it must be disposed of securely and completely.
6. The database on the compromised server was created as back-up to “facilitate “insourcing” of the Fusion application to AAPT’s own cloud environment”. AAPT intended to decommission the compromised server once the back-up files had been migrated, but this was not done “due to an oversight”. The oversight resulted from the departure of key staff and “a lack of transparency of applicable processes and policies”.
7. The incident indicates AAPT did not follow its parent company’s policy and guidelines in relation to information management.
8. The incident also indicates AAPT did not adopt its own policy on the retention and disposal of data. It is not clear whether AAPT had established internal processes (or practices) in line with its policy. As noted above, AAPT has acknowledged its processes and policies were not transparent. In the ACMA’s view, if internal policies are not known by staff, then they cannot be effectively applied within an organisation.
9. The retention of relevant customer personal information on a server after it was no longer required, and the failure to treat it in accordance with its own policy, in the view of the ACMA, meant that the information was not adequately protected by AAPT. Furthermore AAPT was not cognisant of the existence of the personal information and may well have remained unaware of it, had it not been for this incident.
10. The ACMA notes that upon being notifies of the incident, AAPT immediately took action to ensure that the database could not be further compromised. AAPT has also confirmed it has undertaken particular remedial actions and is currently undertaking further actions to ensure its compliance with the TCP Code 2012. For example, it has circulated its existing information management policies and guidelines, including those dealing with data retention and destruction to AAPT staff, and it is currently updating and developing its internal privacy policies and procedures to promote and implement privacy compliance within AAPT.

---