Major data breach of Aussie Travel Cover

January 15, 2015 |

Today’s PM program in Private details leaked after travel insurance company hacked reports on both a significant data breach involving the disclosure of personal information from Aussie Travel Cover and its terrible handling of the data breach, starting with failing to notify its customers that their personal information had been compromised, sometimes posted on line.  It is also hardly a banner day for the Australian Privacy Commissioner who has known about the breach since 22 December 2014 and whose response is reported as “he’s still deciding if there’ll be a formal investigation.”  As for the police response it is a matter of Queensland police referring enquiries to the New South Wales Police who are not investigating the matter while at the Federal level the Australian Federal Police refer enquiries to the Attorney General’s Department.

The story is significant in both highlighting that there is a poor understanding of the need to maintain adequate and up to date cyber security, have adequate protections, including segmentation,  within a data base and have policies to deal with a breach that go beyond bringing in a consultant and saying nothing.  It is also highlights the obvious need for proper data breach notification laws. Finally it reminds all in the industry that Australia is no different from the rest of the world in being susceptible to large scale data breaches.

The story provides:

BRENDAN TREMBATH: The computer systems and database of one of the country’s largest travel insurance companies has been hacked, and parts of its customer database posted online.

Aussie Travel Cover, a privately owned New South Wales based business has known about the hack since before Christmas, but opted not to tell insurance policy-holders.

Travel agencies that sell Aussie Travel Cover policies to their clients have today been left to explain the situation to irate customers.

Some only found out that their details had been leaked after being contacted by PM. And despite the ABC obtaining an admission from the hacker about what he’s done, police have so far failed to investigate.

Will Ockenden reports.

WILL OCKENDEN: It’s a privacy breach that touches some of the country’s most senior figures in the courts, police, government, business and media.

But it’s not just the influential who’ve had their private details stolen. Database logs show it could affect hundreds of thousands of Australians.

TROY HUNT: The data shows about three quarters of a million records of personal, presumably Aussie information. So things like address and partial credit card details.

WILL OCKENDEN: Troy Hunt is a computer security expert.

TROY HUNT: Well there’s two things here. So there’s what has been publicly disclosed, and then there’s all the stuff that the hacker hasn’t released publicly yet, may be selling via the black market or passing on through other nefarious means.

WILL OCKENDEN: On the 18th December last year, travel insurance provider Aussie Travel Cover was made aware that its computer system had been hacked.

The hacker stole a large amount of personal information, including names, phone numbers, email addresses, travel dates, and how much policies cost.

Aussie Travel Cover is a privately owned business well regarded in the travel industry, and let third party agents know about the hack a few days later on the 23rd December.

But while agents were informed, customers and policy-holders have been left in the dark – intentionally.

In an email to agents, the company explained that because it had engaged consultants to help investigate the breach, it said, quote “at this stage, there is no reason to advise policy-holders” unquote.

TROY HUNT: The worry is things like identify theft. So when you have names, email addresses, other personally identifiable information, does that mean that person may be at risk of someone else coming along and stealing their identity?

WILL OCKENDEN: So who is the person responsible?

Well according to the international security research firm IntelCrawler, the hacker is known under his internet name Abdilo.

PM has been chatting online with Abdilo, trying to work out why he hacked Aussie Travel Cover and what he planned on doing with the information.

He said he was bored, and admitted it was reckless. As for the long arm of the law, he said he wasn’t worried about the police.

The IntelCrawler report links Abdilo’s various online personas, and claims he lives in Queensland.

But despite the report, the Queensland and New South Wales police say they aren’t investigating, and Aussie Travel Cover has today gone to ground.

VOICE MESSAGE: Thank you for calling Aussie Travel Cover.

WILL OCKENDEN: Late this evening, Aussie Travel Cover sent the ABC a statement saying it’s aware of the issue and cooperating with law enforcement. It declined to provide any further information.

VOICE MESSAGE: Please inform your consultant if you wish to listen to our privacy message.

WILL OCKENDEN: The company has known for more than a month about the hack, and has taken steps to try and fix the hole the hacker got in.

Aussie Travel Cover took its entire web site offline for a month to fix the problem. But it appears it was too late for many, including Sophia, who had previous purchased Aussie Travel Cover insurance via a travel agent.

SOPHIA: It actually makes me feel quite uncomfortable to know that your personal details are out there in the hands of someone that you haven’t authorised for them to be in the hands of.

WILL OCKENDEN: And when was the first time you heard about it?

SOPHIA: When you rang me about an hour ago.

WILL OCKENDEN: A log shows the entire structure of the company’s database, including how many records are in it.

One part of the system called Policies has more than 770,000 records. Another called Banking contains more than 100,000.

In the email to agents, Aussie Travel Cover says no credit card records or bank details are kept on the website or in the database.

However, the ABC has seen records which appear to be the first and last parts of a credit card number. The rest of the number is redacted.

Sophia says she should have been told.

SOPHIA: If your personal information that you’ve given a company and you’ve paid them money, and that information somehow gets in the hands of other people, they should let you know there’s been some privacy breach.

And that way you can take precautions.

WILL OCKENDEN: The breach has also exposed a serious fault with the way the authorities handle these types of privacy breaches.

The ABC has been told the hacker lives in Queensland, but when PM contacted the Queensland Police, we were referred to the police in New South Wales, as that’s where the hack allegedly took place.

The New South Wales Police said over the weekend, and confirmed again today, that no-one is investigating the matter.

On a federal level, late today the Australian Federal Police revealed it was aware of the matter.

But over the weekend, the AFP said nothing, instead referring the matter to the Attorney-General’s Department.

It said the national Computer Emergency Response Team, or CERT, wouldn’t confirm if it was investigating anything.

Australia’s Privacy Commissioner wasn’t available for an interview either, but Timothy Pilgrim says he was told of the breach on 22nd December. However he’s still deciding if there’ll be a formal investigation.

Which leaves us in a somewhat of a perverse situation, where it’s the hacker himself that’s the only one talking about the data breach.

BRENDAN TREMBATH: And communicate he does. As the story mentioned, the hacker goes by the online name Abdilo.

An internet security firm based in the United States says he’s likely to be a teenager living in Queensland.

The ABC cannot yet independently identify those details, and has asked Abdilo unsuccessfully several times for a recorded interview.

But he has been talking via online chat with ABC producer Ben Sveen for several days now, saying that he knows hacking is irresponsible.

Our reporter Will Ockenden has read the transcripts and joins me now.

Will, what has he been saying?

WILL OCKENDEN: Well he’s been saying to us quite a lot. He freely admits to the hack, and also the hacking and attempted hacking of a lot more websites and internet services.

He’s been telling us he tests these websites, but has recently been focusing specifically on Australian websites. But the worrying thing here is that not all of his data breaches are released online for all to see.

He says that some of the attacks, the possible hacks, are actually sold online to others secretly, who then exploit those vulnerabilities, using that private information you can get from these types of attacks for other criminal purposes.

And he says in the last six months, he sold around $3,000 worth of vulnerabilities to other hackers, and he would have sold more but his buyers, he says, keep getting arrested.

He says, “If you are vulnerable to hacking, 99 per cent of the time I’m going to steal everything and release it and/or sell it.”

BRENDAN TREMBATH: How does he do it?

WILL OCKENDEN: Well, security experts say this type of attack actually isn’t that hard, and in fact, with the right tools, they could actually be done by children.

It’s called an SQL injection attack, and most of the hacks we’ve actually seen look like that the hackers have been exploiting really old Microsoft server software.

So the problem with having outdated software means you’re potentially leaving your entire database open to anyone who comes along.

And the SQL injection attacks have been around for quite a while, but IT security experts are saying that the number is rising of late.

And it also seems like the hackers have a virtual smorgasbord of choice. There are thousands of websites and servers out there running the old software, so it’s really just a matter of picking the so-called low-hanging fruit.

BRENDAN TREMBATH: Any movement at the state police level?

WILL OCKENDEN: Not yet, and in any case, Abdilo has said that anything he’s got, all the databases, is actually encrypted and he’ll hit a button, a delete button, if the police come barging through the door.

And so in some discussions with him it seems like he wants to get caught, and he sort of taunts the police. One of the quotes went along the lines of “They know who I am and where I am. Because of the IntelCrawler report they have a full blown report on me. I’ve got a giant arrow pointing at me, yet no cops so far.”

BRENDAN TREMBATH: Will Ockenden reporting, and his offer of a recorded interview stands.

It is interesting to see how the United States has responded to the major breach of privacy caused by the Sony hack.  It has acted as an impetus to legislative reform.  The President has announced a proposal to reform and improve US privacy laws, at least insofar as it relates to data breach notification.  His office has issued a fact sheet titled Safeguarding American Consumers & Families.   It is a broad call to action in an area of regulation that has been inadequate with poor coverage. It is useful to note that if the President’s plan is adopted the United States will be better prepared than Australia in establishing robust regulation for data protection.  Australia has no mandatory data protection.  The Privacy Amendment (Privacy Alerts) Bill 2014, a private members bill identical to its namesake Government bill that lapsed in 2013, lies in the Senate.  With the Privacy Act’s coverage being incomplete and the level of regulation in the past languid it is little wonder the perceived risk of enforcement is low and compliance patchy.

The Fact sheet provides::

Today, President Obama will build on the steps he has taken to protect American companies, consumers, and infrastructure from cyber threats, while safeguarding privacy and civil liberties.  These actions have included the President’s 2012 comprehensive blueprint for consumer privacy, the BuySecure initiative—launched last year— to safeguard Americans’ financial security, and steps the President took earlier this year by creating a working group of senior administration officials to examine issues related to big data and privacy in public services and the commercial sector.  

In an increasingly interconnected world, American companies are also leaders in protecting privacy, taking unprecedented steps to invest in cybersecurity and provide customers with precise control over the privacy of their online content.  But as cybersecurity threats and identity theft continue to rise, recent polls show that 9 in 10 Americans feel they have in some way lost control of their personal information — and that can lead to less interaction with technology, less innovation, and a less productive economy.

At the Federal Trade Commission offices today, President Obama will highlight measures he will discuss in the State of the Union and unveil the next steps in his comprehensive approach to enhancing consumers’ security, tackling identity theft, and improving privacy online and in the classroom.  These steps include:

Improving Consumer Confidence by Tackling Identity Theft

  • The Personal Data Notification & Protection Act: The President is putting forward a new legislative proposal to help bring peace of mind to the tens of millions of Americans whose personal and financial information has been compromised in a data breach.  This proposal clarifies and strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach, while providing companies with the certainty of a single, national standard.  The proposal also criminalizes illicit overseas trade in identities.
  • Identifying and Preventing Identity Theft:  To give consumers access to one of the best early indicators of identity theft, as well as an opportunity to improve their credit health, JPMorganChase and Bank of America, in partnership with Fair Isaac Corporation (FICO), will join the growing list of firms making credit scores available for free to their consumer card customers.  USAA and State Employees’ Credit Union will also offer free credit scores to their members, and Ally Financial is further widening the community of companies taking this step by making credit scores available to their auto loan customers.  Through this effort over half of all adult Americans with credit scores will now have access to this tool to help spot identity theft, through their banks, card issuers, or lenders.

Safeguarding Student Data in the Classroom and Beyond

  • The Student Digital Privacy Act: The President is releasing a new legislative proposal designed to provide teachers and parents the confidence they need to enhance teaching and learning with the best technology — by ensuring that data collected in the educational context is used only for educational purposes.  This bill, modeled on a landmark California statute, builds on the recommendations of the White House Big Data and Privacy review released earlier this year, would prevent companies from selling student data to third parties for purposes unrelated to the educational mission and from engaging in targeted advertising to students based on data collected in school – while still permitting important research initiatives to improve student learning outcomes, and efforts by companies to continuously improve the effectiveness of their learning technology products.
  • New Commitments from the Private Sector to Help Enhance Privacy for Students:  Today 75 companies have committed to the cause, signing a pledge to provide parents, teachers, and kids themselves with important protections against misuse of their data.  This pledge was led by the Future of Privacy Forum and the Software & Information Industry Association, and today the President challenged other companies to follow their lead.
  • New Tools from the Department of Education to Empower Educators Around the Country and Protect Students: The Department of Education and its Privacy Technical Assurance Center play a critical role in protecting American children from invasions of privacy. Today, we are announcing a forthcoming model terms of service, as well as teacher training assistance that will enhance our ability to help ensure educational data is used appropriately and in accordance with the educational mission.

Convening the Public and Private Sector to Tackle Emerging Privacy Issues

  • Voluntary Code of Conduct for Smart Grid Customer Data Privacy: Today the Department of Energy and the Federal Smart Grid Task Force are releasing a new Voluntary Code of Conduct (VCC) for utilities and third parties aimed at protecting electricity customer data — including energy usage information.  This Code reflects a year of expert and public consultation, including input from industry stakeholders, privacy experts, and the public.  As companies begin to sign on, the VCC will help improve consumer awareness, choice and consent, and controls on access.

Promoting Innovation by Improving Consumers Confidence Online

  • Consumer Privacy Bill of Rights Legislation: Online interactions should be governed by clear principles — principles that look at the context in which data is collected and ensure that users’ expectations are not abused.  Those were the key themes of the Administration’s 2012 Consumer Privacy Bill of Rights, and today the Commerce Department announced it has completed its public consultation on revised draft legislation enshrining those principles into law.  Within 45 days, the Administration will release this revised legislative proposal and today we call on Congress to begin active consideration of this important issue.

These actions build on steps the President has already taken to support consumer privacy and fight identity theft, including:

  • Making Federal Payments More Secure to Help Drive the Market Forward: In October, as part of his BuySecure Initiative, the President issued an Executive Order laying out a new policy to secure payments to and from the Federal government by applying chip and PIN technology to newly issued and existing government credit cards, as well as debit cards like Direct Express, and upgrading retail payment card terminals at Federal agency facilities to accept chip and PIN-enabled cards. This accompanied an effort by major companies like Home Depot, Target, Walgreens, and Walmart to roll out secure chip and PIN-compatible card terminals in stores across the country.
  • New Measures to Prevent Identity Theft: The President also announced new steps by the government to assist victims of identity theft, including supporting the Federal Trade Commission in their development of a new one-stop resource for victims at IdentityTheft.gov and expanding information sharing to ensure Federal investigators’ ability to regularly report evidence of stolen financial and other information to companies whose customers are directly affected

There has been considerable media coverage including from the New York Times in Obama to Call for Laws Covering Data Hacking and Student Privacy, the Age with Obama to announce cybersecurity plans in State of the Union address, White House says and a more critical analysis in Obama’s Breach Notification Plan Lacks Specifics.  

The New York Times article provides:

WASHINGTON — President Obama on Monday called for federal legislation intended to force American companies to be more forthcoming when credit card data and other consumer information are lost in an online breach like the kind that hit Sony, Target and Home Depot last year.

The president also proposed the Student Data Privacy Act, which would prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software. And he will announce voluntary agreements by companies to safeguard home energy data and to provide easy access to credit scores as an “early warning system” for identity theft.

“If we’re going to be connected, then we need to be protected. As Americans, we shouldn’t have to forfeit our basic privacy when we go online to do our business,” Mr. Obama said Monday. “Each of us as individuals have a sphere of privacy around us that should not be breached, whether by our government, but also by commercial interests.”

Monday’s announcements were part of a weeklong focus on privacy and cybersecurity by Mr. Obama ahead of his State of the Union address next week. White House officials said they expected bipartisan support for the initiatives and did not anticipate fierce opposition from industry or advocacy organizations.

But on Capitol Hill, Mr. Obama faces a Republican-controlled Congress for the first time in his presidency. It remains unclear how quickly his adversaries in the House and the Senate will move to take up the legislation, and whether disputes in other areas could delay its consideration.

Consumer and privacy groups have yet to see details of the president’s proposals, and some remain concerned that any federal standard could be weaker than the robust state laws passed in recent years. California, for example, recently passed a state law protecting student data.

“The problem is that the effect will likely be to pre-empt the stronger state laws,” said Marc Rotenberg, the president of the Electronic Privacy Information Center, who favors disclosure faster than 30 days. “We want a federal baseline, and leave the states with the freedom to establish stronger standards.”

Chris Calabrese, the senior policy director for the Center for Democracy and Technology, said that his group had not rejected the idea of a federal law, but that it depended on how it was written. “There is a lot of concern in the advocacy community about the possibility of a federal law being watered down,” Mr. Calabrese said.

Corporate data breaches have gained urgency since attacks on Sony Pictures that officials say were done by the North Korean government. Under the proposed law, the discovery of a breach would trigger a “30-day shot clock” that requires notification. The legislation clarifies when breaches must be disclosed and makes it a crime to sell a person’s cyberinformation overseas. The Federal Trade Commission would get the power to issue penalties to companies that did not comply.

“There’s a crazy quilt patchwork of 48 state laws, and they are in tension with each other,” said Jon Leibowitz, a partner at the Davis Polk law firm and a former chairman of the Federal Trade Commission under Mr. Obama. “This is not a flash point, ideological battle here. It could be the kind of legislation that protects privacy, protects consumers and actually has a chance for getting enacted.”

The administration’s student privacy effort comes as schools across the country are adopting digital education products — including math textbooks and online homework portals — that can collect information about a student’s every keystroke. The premise behind the data collection is to customize lessons to the academic needs and learning preferences of each child.

But these data-mining practices have begun to trouble some parents, who say they are concerned that education technology companies could potentially collect — and later share — sensitive details about, for example, a child’s disciplinary record or a family’s financial status.

To alleviate those kinds of concerns, California last summer enacted a comprehensive education privacy law that largely prohibits companies from collecting student information for advertising and marketing. Children’s advocates applauded Mr. Obama’s plans for a similar law.

“You can’t have all this potentially positive use of technology in schools without privacy protection for students, their families and teachers,” said James P. Steyer, the chief executive of Common Sense Media, a children’s advocacy and media ratings group in San Francisco that has worked with Google, Apple, Amazon and other companies that distribute the group’s educational materials.

 

One Response to “Major data breach of Aussie Travel Cover”

  1. US to legislate in respeonse to data hacking | Australian Law Blogs

    […] US to legislate in respeonse to data hacking […]

Leave a Reply