Washup from Friday's Telstra data breach

David Heath
Monday, 12 December 2011 21:36

Business IT - Security

We don't yet know why, but we sure know what was breached.  60,000 user accounts containing detailed of their accounts (including passwords) and the services used.  The Privacy Commissioner is investigating.

After a Whirlpool user accidentally noticed (check the 5th paragraph) that a Google-searchable database which included far too much information was freely visible and publicised the fact at 1:08pm last Friday, it took until much later in the afternoon, and an article on SMH to have the data taken off-line a little before 5:00pm.

'WireFire,' the Whirlpool poster wrote, "Incidentally, if you do a Google search for that number, [referring to a 'bundles' department contact number] you get a very interesting result. Um, Telstra, that's customer information just sitting out on the open Web'¦ That page also seems to suggest that he shouldn't have given me the number, but should have put me through."

It seems that numerous users checked to see if their details were visible, many found they were; many more simply held on to the data.

Interestingly, one of the later Whirlpool posters noted that their own details were present, but that the password listed was the initial one on the account, but that it had been changed soon after.

The reaction (although substantially less than swift) was to take down large swathes of the Telstra Internet service (including email) for around 1 million BigPond users.

Telstra advised that passwords for around 60,000 users had been reset "as a precaution."  One can only wonder how just 60,000 out of a million were considered to be at risk.

Read on for what happened next.