Security of member information update
There has recently been some media coverage about unauthorised access to our members' online benefit statements. The statements were in PDF format and were viewed by the person responsible but he did not gain direct access to other account details nor did he conduct any transactions.
"Some?" Now there's an understatement. Both the IT and the popular press have been having a field day over this!
You say "did not gain direct access to other account details." I assume this means that the researcher had to read them off the PDF and copy them elsewhere in order to qualify as "not direct access," because surely many private details would have been included on these statements.
Of course he didn't conduct any transactions - even if he could, he wouldn't have been that stupid (even if he did access 568 PDFs - somewhat excessive, I might suggest).
Only 568 member statements were viewed out of a total membership of some 770,000. The members whose statements were viewed have been notified.
This contradicts with earlier statements which insisted that all members had been advised and was only corrected when a large number of members contacted First State Super and also wrote comments to various press articles saying that they had received no such notification.
The message continues...
If it was that easy to fix, why didn't they do it BEFORE the problem was made public? In fact the Acting NSW Privacy Commissioner John McAteer made very public suggestions regarding this very vulnerability following a similar incident at the University of Sydney in June this year.
The unauthorised access occurred in late September 2011 and was carried out by a member of First State Super, who is the principal consultant with an IT security firm. While he immediately contacted us and disclosed his actions, claiming that his objective was to highlight a security weakness, not to commit fraud, his actions were nevertheless a serious breach of privacy legislation and First State Super was obliged to report the matter in accordance with the recommendations of the Privacy Commissioner.
The company may well have considered Patrick Webster's actions to be a "serious breach of privacy legislation" and contrary to the "recommendations of the Privacy Commissioner," although they do not make clear to which Privacy Commissioner they're referring - NSW or Commonwealth. However, First State Super is itself in clear breach of National Privacy Principle 4.1, part of the Commonwealth Privacy Act 1988. According to the summary, NPP 4.1 "provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure." Surely creating the circumstances for the 'hack' to occur is a far greater breach than accessing the data to prove the problem exists.
More over the page.
What is not stated here is that the lawyers' letter delivered to Webster also included a threat that he would be billed for any costs related to rectifying the problem.
Of interest in the letter is the howler: "Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website." Clearly this is saying that it's OK for a non-member to execute the 'hack,' but not a member.
First State Super appreciates that the actions of the person involved has allowed us to address an undetected weakness in our online security. Subject to his compliance and cooperation in ensuring that the unauthorised statements he downloaded have been destroyed, we have no intention of taking any other action against him.
I would prefer to suggest that there was a far greater weakness in the security abilities of the First State Super IT team - any security expert will tell you that this is very basic mistake to make and absolutely no significant penetration testing was performed on this system. The Open Web Application Security project (OWASP) lists this particular vulnerability as number four on their top ten web security risks for 2010, under the general category of "Insecure Direct Object References."
Late this afternoon, Federal Privacy Commissioner, Timothy Pilgrim announced that he was instigating an "own motion investigation" into the company; "I will be looking at their compliance with the Privacy Act and in particular their data security practices."
This announcement made no suggestion that Patrick Webster's actions were under the Commissioner's gaze; thus refuting First State Super's claim that "his actions were nevertheless a serious breach of privacy legislation."
In addition, a media statement by the NSW Privacy Commissioner (dated 18th October, but released today) directly pointed to the similarity between this breach and the one he publicised loudly which occurred at the University of Sydney. Further, Commissioner McAteer noted "that these types of errors can be reasonably detected with proper testing."
The road ahead for First State Super is a rocky one; all of their own making. It's a pity they never bothered to take their own security advice.