Another data breach by an Australian Government Agency…this time the Department of Social Services
November 26, 2017 |
It has been a bad year for data breaches in Australia. Perhaps not as bad as America where the Equifax data breach, involving 145 million Americans, took matters to a whole new level in terms of volume of data stolen, the impact of that credit reporting information on the individuals affected and the truly dreadful response. Similarly the recently announced Uber breach, involving 57 million individuals, has been a new low in terms of woeful data security and appalling subsequent management. But Australian agencies and organisations have, through data breaches most recently a data breach involving 50,000 Australians from the Department of Finance, the Australian Electoral Commission and other agencies, shown that there remains a poor culture of privacy protections and data security. Lax regulation and little in the way of consequences for breaches of the legislation have largely contributed to this poor state of affairs.
The Guardian reports on a breach at the Department of Social Services involving yet another breach by a third party contractor which has necessitated the department writing to 8,500 individuals, 2,000 current and 6,500 former employees of the Department. The compromise involved exposure to information collected and held in the 2004 – 2015 period of credit card information, names, work phone numbers, emails, systems passwords, government services numbers and details about the employees’ positions within the Department. Plenty enough to undertake some serious identity theft. What is breathtaking is that the data was exposed for 16 months, from June 2016 until October 2017.
The article provides:
The Department of Social Services has written to 8,500 current and former employees warning them their personal data held by a contractor has been breached.
In letters sent in early November the department alerted the employees to “a data compromise relating to staff profiles within the department’s credit card management system prior to 2016”.
Compromised data includes credit card information, employees’ names, user names, work phone numbers, work emails, system passwords, Australian government services number, public service classification and organisation unit.
The department failed to warn staff how long the data was exposed for but a DSS spokesman told Guardian Australia that the contractor, Business Information Services, had advised that the data was open from June 2016 until October 2017. The data related to the period 2004 to 2015.
The letters from the DSS chief financial officer, Scott Dilley, blame “the actions of the department’s third-party provider” and say the compromise “is not a result of any of the department’s internal systems”.
“The data has now been secured,” Dilley wrote. He said there was “no evidence” of improper use of the data or the department’s credit cards.
The DSS spokesman said that on 3 October the Australian Signals Directorate had notified it of the compromise. “The Australian Cyber Security Centre immediately contacted the external contractor to secure the information and remove the vulnerability within hours of notification,” he said.
Asked to assess the severity of the breach, the Australian Privacy Foundation chairman, David Vaile, said it had affected a “significant number” of people and noted the department had given staff “no clue how far back” it extended or how long data was exposed for.
He said that employees’ usernames, full names and system passwords were “material that could be quite useful for identity theft, fraud and masquerading”, where an attacker pretends to be an authorised user.
Vaile said the notification was a “masterpiece of passive aggressive writing” that sought to downplay the effect of the breach, when it should be for the benefit of the victims to provide as much information as possible to counter the threat.
It did not contain acknowledgement that outsourcing functions to an external provider “represents an increase risk and in this case it has come home to roost”, he said.
Vaile questioned how extensive the department’s inquiries were into whether the data was accessed, adding that little comfort could be taken from the fact departmental credit cards had not been charged because consequences of a data breach can take time to materialise.
A spokeswoman for Business Information Services said that as a result of a “control vulnerability” some historical information about employees’ work expenses “was vulnerable to possible cyber breach”.
“There is no evidence of a cyber-attack, only that it was possible,” she said.
The spokeswoman said the information included “partially anonymous work-related expenses” including “cost centres, corporate credit cards without CCV and expiry dates and passwords that were hashed and therefore not visible”.
“The bulk of credit card information within the data had expired.”
The BIS spokeswoman said the vulnerability was “secured within four hours”, the data is no longer publicly accessible and it had undertaken a security review.
The DSS spokesman said the department “takes security seriously”.
He said the department has been working with the ACSC and Office of the Australian information commissioner to notify 2,000 current and 6,500 former employees and to work with the external contractor “to ensure effective arrangements are in place, and to support affected staff”.
The letter also suggested employees may wish to change or strengthen passwords if they used the same password across work and personal accounts.