[BreachExchange] Data breach hits Department of Social Services credit card system

[Destry Winant]

https://www.theguardian.com/technology/2017/nov/24/data-breach-hits-department-of-social-services-credit-card-system

The Department of Social Services has written to 8,500 current and
former employees warning them their personal data held by a contractor
has been breached.

In letters sent in early November the department alerted the employees
to “a data compromise relating to staff profiles within the
department’s credit card management system prior to 2016”.

Compromised data includes credit card information, employees’ names,
user names, work phone numbers, work emails, system passwords,
Australian government services number, public service classification
and organisation unit.

The department failed to warn staff how long the data was exposed for
but a DSS spokesman told Guardian Australia that the contractor,
Business Information Services, had advised that the data was open from
June 2016 until October 2017. The data related to the period 2004 to
2015.

The letters from the DSS chief financial officer, Scott Dilley, blame
“the actions of the department’s third-party provider” and say the
compromise “is not a result of any of the department’s internal
systems”.

“The data has now been secured,” Dilley wrote. He said there was “no
evidence” of improper use of the data or the department’s credit
cards.

The DSS spokesman said that on 3 October the Australian Signals
Directorate had notified it of the compromise. “The Australian Cyber
Security Centre immediately contacted the external contractor to
secure the information and remove the vulnerability within hours of
notification,” he said.

Asked to assess the severity of the breach, the Australian Privacy
Foundation chairman, David Vaile, said it had affected a “significant
number” of people and noted the department had given staff “no clue
how far back” it extended or how long data was exposed for.

He said that employees’ usernames, full names and system passwords
were “material that could be quite useful for identity theft, fraud
and masquerading”, where an attacker pretends to be an authorised
user.

Vaile said the notification was a “masterpiece of passive aggressive
writing” that sought to downplay the effect of the breach, when it
should be for the benefit of the victims to provide as much
information as possible to counter the threat.

It did not contain acknowledgement that outsourcing functions to an
external provider “represents an increase risk and in this case it has
come home to roost”, he said.

Vaile questioned how extensive the department’s inquiries were into
whether the data was accessed, adding that little comfort could be
taken from the fact departmental credit cards had not been charged
because consequences of a data breach can take time to materialise.

A spokeswoman for Business Information Services said that as a result
of a “control vulnerability” some historical information about
employees’ work expenses “was vulnerable to possible cyber breach”.

“There is no evidence of a cyber-attack, only that it was possible,” she said.

The spokeswoman said the information included “partially anonymous
work-related expenses” including “cost centres, corporate credit cards
without CCV and expiry dates and passwords that were hashed and
therefore not visible”.

“The bulk of credit card information within the data had expired.”

The BIS spokeswoman said the vulnerability was “secured within four
hours”, the data is no longer publicly accessible and it had
undertaken a security review.

The DSS spokesman said the department “takes security seriously”.

He said the department has been working with the ACSC and Office of
the Australian information commissioner to notify 2,000 current and
6,500 former employees and to work with the external contractor “to
ensure effective arrangements are in place, and to support affected
staff”.

The letter also suggested employees may wish to change or strengthen
passwords if they used the same password across work and personal
accounts.