[BreachExchange] Credit card details, salary information published by government contractor

Audrey McNeil audrey at riskbasedsecurity.com
Thu Nov 2 20:11:08 EDT 2017


http://www.abc.net.au/news/2017-11-02/major-government-data-breach-prompts-
investigation/9112246

The personal details of up to 50,000 Australians — including some credit
card numbers and salaries — have been mistakenly posted online by a
contractor, in one of the biggest data breaches to date.

The information, including full names, emails, expenses and payment
details, was publicly available online until early October.

The breach, first reported by ItNews, was discovered by a Polish security
researcher who searched for data that should have been protected online.

Close to 25,000 credit card transactions of staff at insurer AMP were
disclosed by the contractor, which has not yet been named.

The Finance Department, the Australian Electoral Commission and the
National Disability Insurance Agency have also been compromised.

An AMP spokesman confirmed a, "limited amount of company data related to
internal staff expenses was inadvertently stored in a publicly available
cloud service".

"The mistake was quickly corrected once identified and the matter was
investigated to ensure all data had been removed," the spokesman told the
ABC.

"No customer data was compromised at any time [and] we are reviewing the
situation to ensure standards are maintained."

Dutch multinational Rabobank confirmed some of its employee data was
breached and that an investigation had been launched.

A spokeswoman for the bank said no client information or staff salaries and
credit cards were disclosed.

A spokesman from the Department of Prime Minister and Cabinet said the
breach did not include national security data or classified material.

"The data exposed was historical, archived and partially anonymised data,"
the spokesman said.

"It contained limited personally identifiable information of government
employees such as work email addresses, and in some cases Australian
Government Service numbers and corporate credit card details.

"The departments involved have been notifying affected staff and working to
give them appropriate support."

The Government agencies have been working with the Australian Cyber
Security Centre and the Information Commissioner to "develop an appropriate
response to the breach".

The Federal Government has been increasingly outsourcing its IT projects to
contactors who are winning close to $10 billion in contracts each year.

The spiralling costs — up from $5.9 billion in 2012-13 — have not always
resulted in better outcomes for the public and there are concerns about
data being properly managed.

This breach comes a year after the personal data of 550,000 blood donors,
that included information about "at-risk" sexual behaviours, was leaked
from the Red Cross Service.

Just last month, a Government contractor lost a 1,000 page manual on future
security arrangements at Parliament House.

'This is a serious breach'

The Australian Cyber Security Centre and the Minister Assisting the Prime
Minister for Cyber Security, Dan Tehan, have been contacted for comment.

Labor's digital economy spokesman, Ed Husic, said the Government should
have reported the breach before it was exposed by the media on Thursday.

"The Government cannot claim that it is not to blame for the actions of a
contractor. Ultimately the buck stops somewhere," he told the ABC.

"This is some really sensitive data that has been obtained from passwords
to credit card details, 50,000 Australians across Government and banks.

"This is a serious breach and the Government should treat it seriously."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171102/a114bd9c/attachment.html>


More information about the BreachExchange mailing list