Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Wednesday, 19 October 2011 23:49

First State Super responds (and they still think they're in the right)


Late this afternoon First State Super made its first public statement on the so-called hacking scandal.  With zero contrition.

A few hours ago, the following statement appeared on the First State Super website.  Allow me to add annotations (the various paragraphs of the statement are italicised for clarity).

Security of member information update

There has recently been some media coverage about unauthorised access to our members' online benefit statements. The statements were in PDF format and were viewed by the person responsible but he did not gain direct access to other account details nor did he conduct any transactions.

"Some?"  Now there's an understatement.  Both the IT and the popular press have been having a field day over this!

You say "did not gain direct access to other account details."  I assume this means that the researcher had to read them off the PDF and copy them elsewhere in order to qualify as "not direct access," because surely many private details would have been included on these statements.

Of course he didn't conduct any transactions - even if he could, he wouldn't have been that stupid (even if he did access 568 PDFs - somewhat excessive, I might suggest).

Only 568 member statements were viewed out of a total membership of some 770,000. The members whose statements were viewed have been notified.

This contradicts with earlier statements which insisted that all members had been advised and was only corrected when a large number of members contacted First State Super and also wrote comments to various press articles saying that they had received no such notification.

The message continues...

The fault in our security was also rectified immediately, and a comprehensive IT security review is now underway.

If it was that easy to fix, why didn't they do it BEFORE the problem was made public?  In fact the Acting NSW Privacy Commissioner John McAteer made very public suggestions regarding this very vulnerability following a similar incident at the University of Sydney in June this year.

The unauthorised access occurred in late September 2011 and was carried out by a member of First State Super, who is the principal consultant with an IT security firm. While he immediately contacted us and disclosed his actions, claiming that his objective was to highlight a security weakness, not to commit fraud, his actions were nevertheless a serious breach of privacy legislation and First State Super was obliged to report the matter in accordance with the recommendations of the Privacy Commissioner.

The company may well have considered Patrick Webster's actions to be a "serious breach of privacy legislation" and contrary to the "recommendations of the Privacy Commissioner," although they do not make clear to which Privacy Commissioner they're referring - NSW or Commonwealth.  However, First State Super is itself in clear breach of National Privacy Principle 4.1, part of the Commonwealth Privacy Act 1988.  According to the summary, NPP 4.1 "provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure."  Surely creating the circumstances for the 'hack' to occur is a far greater breach than accessing the data to prove the problem exists.

More over the page.

On legal advice First State Super also reported the incident to the NSW Police so we could ensure that any unauthorised copies of the member statements involved were destroyed. We have no doubt that First State Super members would expect such certainty in relation to the privacy of their information.

What is not stated here is that the lawyers' letter delivered to Webster also included a threat that he would be billed for any costs related to rectifying the problem.

Of interest in the letter is the howler: "Further, as a member of the Fund, your online access is subject to the terms and conditions of use which are outlined on the Fund's website."  Clearly this is saying that it's OK for a non-member to execute the 'hack,' but not a member.

First State Super appreciates that the actions of the person involved has allowed us to address an undetected weakness in our online security. Subject to his compliance and cooperation in ensuring that the unauthorised statements he downloaded have been destroyed, we have no intention of taking any other action against him.

I would prefer to suggest that there was a far greater weakness in the security abilities of the First State Super IT team - any security expert will tell you that this is very basic mistake to make and absolutely no significant penetration testing was performed on this system.  The Open Web Application Security project (OWASP) lists this particular vulnerability as number four on their top ten web security risks for 2010, under the general category of "Insecure Direct Object References."


In addition, there must surely have been thousands of previous intrusions into the system by other hackers (and clearly none of them ethical enough to report it) as this kind of vulnerability is both easy to exploit and regularly searched for.  If (as First State Super claims) the 'weakness' was undetected, then they must have very poor logging of access to their website if they had to rely on Webster's report to learn that there was a problem.

Late this afternoon, Federal Privacy Commissioner, Timothy Pilgrim announced that he was instigating an "own motion investigation" into the company; "I will be looking at their compliance with the Privacy Act and in particular their data security practices."

This announcement made no suggestion that Patrick Webster's actions were under the Commissioner's gaze; thus refuting First State Super's claim that "his actions were nevertheless a serious breach of privacy legislation."

In addition, a media statement by the NSW Privacy Commissioner (dated 18th October, but released today) directly pointed to the similarity between this breach and the one he publicised loudly which occurred at the University of Sydney.  Further, Commissioner McAteer noted "that these types of errors can be reasonably detected with proper testing."

"In addition, the reports of First State Super's general response to being alerted to the breach highlight from a practical perspective the lack of any policy concerning 'breach notifications' in the First State Super Privacy Policy," said McAteer.  "This reinforces the continued need to examine the legislating of mandatory breach notifications for organisations."

The road ahead for First State Super is a rocky one; all of their own making.  It's a pity they never bothered to take their own security advice.



WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments