Personal details of up to 50,000 Australians posted on line in one of Australia’s largest data breach

November 2, 2017 |

Contractors and third party providers are notorious for being weak points in data security.  Some of the largest data breaches have occurred through poor data security of contractors.  The Sony and Target breaches were caused by hackers accessing sites through a contractors access point. It happens in Australia on a more regular basis than people appreciate. And it has now happened in Australia on a very significant scale.  Itnews reports that files, which included full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses was made available on line by a contractor.  In all personal information of 50,000 Australians were compromised.  Of that 50,000, 25,000 involved AMP credit card transactions.  Also exposed were 17,000 records  from UGL and  1500 from Rabobank. It also includes data from the Commonwealth Finance Department, the Australian Electoral Commission and the National Disability Insurance Agency.  Rabobank data was also compromised.  The story was originally reported by itnews.  This breach has also been reported by the  ABC , Australian Financial Review, News.com.au, the Canberra Times, the Guardian, Sky News, SBS and the Australian. The Fairfax press has provided a very detailed story with Data breach sees records of 50,000 Australian workers expose.

The data was accessible until the first week of October.

Contractors are increasingly used by organisations and agencies, particularly in the IT area.  If an organisation gives contractors access to personal information it is still responsible for maintaining proper data security under Australian Privacy Principle 11.  At minimum the organisation should have strong, enforceable and verifiable processes, through a contract, to ensure the contractors maintain minimum acceptable data security processes which involve training of staff and proper cyber security systems. Unfortunately that happens only occasionally.

What is notable about this breach is that it only became known when the media reported on the breach.  According to the reports the breach was detected in early October.  This secretive approach is typical in Australia with organisations and all too common with Commonwealth agencies.  There is a culture that people whose personal information has been compromised do not need to be notified until it suits the organisation and agency.  Often times that is when news of the breach has broken or the information has been misused and loss has been suffered.  That is the antithesis of good practice. Hopefully that attitude will change when data breach notification laws come into effect on 22 February 2017 next year.

The response to this breach by the Commonwealth Public Service was very much in the vein of “nothing to see here” as it has all been sorted out under the covers and in any event “The data exposed was historical, archived and partially anonymised data”.  Based on the Fairfax and other articles a wall of public servant speak has been thrown up around the issue.  It is almost impenetrable against most attempts to find out what actually happened. While that is bad policy and poor management it is a fairly common approach by the Commonwealth when faced with a data breach.  Implying that the impact of the data breach is not significant because much of the data was historical and archived is glib and misleading.  Historical and archived personal information is still potent for anyone wishing to engage in identity theft and partially anonymised is vague to the point of meaningless. In any event personal information is personal information, whether of a historical nature, whatever that means, or current.

There has been no comment from the Information Commissioner.  According to the Fairfax article the Department of Prime Minister and Cabinet have worked with the ACSC and the Information Commissioner’s Office. One would have thought this is a case where an enforceable undertaking, with teeth, was in the offing or even civil penalty proceedings. Unfortunately the Information Commissioner generally opts for non action when given any sort of choice.

The itnews story provides:

Exclusive: lncludes credit card numbers, salaries.

The personal details of almost 50,000 Australian employees of several government agencies, banks and a utility have been exposed online by a third-party contractor.

In what appears to be the country’s second largest data breach behind the leak of information on 550,000 blood donors last yeariTnews can reveal that 48,270 personal records were left openly accessible as a result of a misconfigured Amazon S3 bucket.

The records were discovered by a Polish security researcher going by the moniker Wojciech who conducted a search for Amazon S3 buckets set to open, with “dev”, “stage”, or “prod” in the domain name, and containing specific file types like xls, zip, pdf, doc and csv.

The files he found include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses.

Insurer AMP was the most impacted, with 25,000 staff records exposed as a result of the misconfiguration.

Utility UGL was affected to the tune of 17,000 records, while 1500 pieces of employee data were discovered from Rabobank.

Several thousand government employee details were also leaked: 3000 at the Department of Finance, 1470 at the Australian Electoral Commission, and 300 at the National Disability Insurance Agency.

The databases were backups made in March 2016. Wojciech said most of the credit card numbers had been cancelled, and many of the records were available in duplicate.

The location of the files in a single S3 bucket and the similar appearance of the table schema in each backup suggests one contractor is behind the breach.

None of the impacted organisations would name the third party.

In a statement to iTnews the Department of Prime Minister and Cabinet – the parent agency for the Australian Cyber Security Centre – said it had been alerted to the breach in early October.

“Once the Australian Cyber Security Centre (ACSC) became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability,” the spokesperson said.

“Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements.”

The agency urged any other affected organisations to contact the ACSC.

AMP confirmed a “limited amount of company data” on staff expenses had been inadvertently exposed by a third-party supplier.

“The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed. No customer data was compromised at any time,” a spokesperson told iTnews.

“AMP treats data security very seriously and has strict policies in place regarding the handling of data with third party vendors. We are reviewing the situation to ensure standards are maintained.”

UGL declined to comment. Rabobank declined to comment while an investigation was underway.

Wojciech said he contacted AMP and the Defence department in early October about the issue, only receiving a response from the government agency.

The Australian Signals Directorate told Wojciech in emails sighted by iTnews that it had worked with the contractor to apply access control lists to the data to prevent further unauthorised access. It would not comment on whether anyone other than the researcher had accessed the data.

From February next year organisations will be required to report a data breach to the Office of the Australian Information Commissioner.

The Fairfax article provides:

Nearly 50,000 Australians and 5000 federal public servants have had sensitive personal information exposed online as part of one of the nation’s biggest ever data breaches.

Employees of the Department of Finance, the Australian Electoral Commission and National Disability Insurance Agency have been caught up in the massive leak caused by a private contractor, along with more than 40,000 private sector workers from insurer AMP, utility UGL and Dutch multinational Rabobank.

The bulk of credit card information within the data had expired.

A spokesman for the department said the data breach involved a third party contractor engaged to provide expense management services, impacting four federal government departments.

About 3000 employee records from the Finance Department were exposed, along with 1470 from the Australian Electoral Commission and 300 at the National Disability Insurance Agency, IT News reported.

The records were accessible through an incorrectly configured Amazon cloud storage service and reportedly discovered by a Polish security researcher identified as “Wojciech”.

The government’s Australian Cyber Security Centre was first alerted to the breach in early October.

The Department of Prime Minister and Cabinet said the ACSC immediately contacted the contractor to secure the information and remove the vulnerability within hours of being notified.

“The exposed data did not contain any national security information, classified material, or Australian government customer data.”

Departments involved have been notifying affected staff and giving them appropriate support, and have worked with the ACSC and the Office of the Australian Information Commissioner to respond to the breach, it said.

“Having removed the vulnerability, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements, and support affected staff.”

AMP was the organisation worst hit in the breach, with about 25,000 staff records exposed.

Some 17,000 records were exposed from UGL along with 1500 from Rabobank.

The private contractor has not been named but it is understood the information was primarily backed-up data from March 2016.

The leak follows revelations last month that a 1000-page security manual related to security upgrades at Parliament House had been lost by defence giant BAE Systems.

In October 2016, private information related to half a million Australians – including their sexual and medical histories – was made public when Australian Red Cross Blood Service files were accidentally placed on an unsecured, public-facing website.

Opposition digital economy spokesman Ed Husic said the latest breach was a grave error, made more disturbing because it followed recent leaks including of Medicare information.

Mr Husic said it risked undermining public confidence in government data security.

“On top of this, it’s clear the government knew about it, they weren’t public about it,” he said.

“The government did not explain what they knew and how they were fixing it.

“We’re calling for a review of what’s happened, and want to hear from the government as well,” he said.

A spokesman for AMP confirmed a limited amount of data related to staff expenses had been stored inadvertently in a publicly available cloud service operated by a third-party supplier.

“The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed.

“No customer data was compromised at any time,” he said.

Community and Public Sector Union national secretary Nadine Flood called on the government to take immediate steps to rectify the breach.

“The private operator behind this serious breach has not only failed to protect the personal information of Commonwealth public sector workers, but also potentially the critical information held by those government agencies on Australians,” she said.

“Disclosing employees’ email addresses, passwords and IDs fairly obviously gives cyber attackers a way into those systems.”

Leave a Reply