[BreachExchange] WA Health information so insecure it was published for months by teenage 'script kiddie'

[Destry Winant]

https://www.watoday.com.au/national/western-australia/wa-health-information-so-insecure-it-was-published-for-months-by-teenage-script-kiddie-20200721-p55dzt.html

An unencrypted pager network had been used by WA Health for more than
12 years before it was accessed by a 15-year-old boy from Mandurah,
who published confidential messages for months before police
intervened on Monday night.

Sensitive medical details of hundreds of West Australians and
government department communications were published on a website
operated by the self-described "script kiddie" using tools widely
available on the internet.

A 15-year-old Mandurah boy is allegedly the mastermind behind a
massive data breach that compromised thousands of medical records in
Western Australia.

Premier Mark McGowan said he was disappointed and disturbed by the
privacy breach, but police had intervened to shut down the website and
speak to the teenager.

"The individual who has published this information, that person was
discovered and police have intervened there," Mr McGowan said.

"It was a person under the age of 16 who spends a lot of their life
online, as young people do.

"The police have visited and shut down the website."

In written statement, a WA Police spokesman said the technology crime
division had executed a search warrant on Monday after receiving a
complaint on Sunday.

He said the publication of the intercepted messages "was not intended
to compromise the privacy of any person" and had been collected
randomly.

The 15-year-old had not attempted to access or compromise any
government websites or databases.

The Premier said there would be a forensic audit of the information
that had been revealed through the breach, but he had been told by the
Health Department pagers were still in use because they were a more
reliable communications tool.

The Health Department's acting director general Angela Kelly told
Radio 6PR's Gareth Parker hospital information had not been breached
and a "third party" who was contracted to operate a hotline had used
the pager network, which was itself operated by Vodafone.

"In no way, shape, or form have our own systems been breached," she said.

"We utilise a third party provider that takes calls from the public,
practitioners on a range of matters. What they will do is then forward
that information up until yesterday by paging and SMS."

Ms Kelly said the pager system was switched off on Monday night.

Vodafone said it had been warning customers of the unencrypted pager
network to move to secure mobile phone messaging since 2019.

"We advised paging customers in 2019 that we would be looking to close
the paging network from the end of 2020," the telecommunications
provider said in a written statement.

"We have been working with customers, which include emergency and
health services, to encourage them to transition them to our secure
mobile phone network.

"Paging networks send messages using legacy radio technology which is
not able to be encrypted, unlike mobile phone networks which use
encryption to protect customer communications. We encourage customers
not to use paging services to send sensitive information."

Vodafone said it had referred the matter to the WA Police and the
Australian Federal Police.

Acting opposition health spokesman Tjorn Sibma called for Information
and Communication Technology Minister Dave Kelly to stand down over
the privacy breach.

"It is staggering that in 2020 in the middle of a COVID-19 pandemic
that the McGowan Labor government is still using such an antiquated
paging system that is unsecure," he said.

"This breach of confidential data was completely avoidable and is
totally unacceptable. The fact that the alleged hacker was under 16
should concern every West Australian.

"The result is that West Australian citizens have had private,
sensitive medical information published online. The horse has bolted.
We are talking about people’s names, addresses, phone numbers and
confidential medical information being posted online."

Although no charges had been laid, WA Police said the investigation
would continue and detectives would work with the Premier's Office of
Digital Government over the breach.

Mr Kelly said the government had created the Office of Digital
Government, which meant for the first time the state had a dedicated
cyber security team, "something that never existed under the previous
Government".

"On becoming aware of this incident, I directed the Office of Digital
Government to engage with affected organisations and the WA Police
Force," he said.

"The website was shut down and the Department of Health are no longer
using the pager service.

"I note this system was used during the entire period of the former
Liberal Government."