Data breach hits 50,000 Australians

The Department of Finance is one of the victims of a major data breach that is believed to be the second-largest in Australian history affecting almost 50,000.

More than 3,000 employees at the Department of Finance, 1,470 at the Australian Electoral Commission and 300 at the National Disability Insurance Agency are among the victims of poor data management by an unnamed 3rd party contractor that exposed their personal details via a misconfigured database backup to the Amazon cloud.

The databases were created as backups in March 2016.

Other organisations whose employee data was exposed included around 25,000 staff at AMP 17,000 from UGL and 1500 at Rabobank.

The Canberra Times reports the leaked information included names, passwords, ID data, phone numbers, as well as credit card numbers and corporate information including salaries and expenses.

“The Department of Prime Minister and Cabinet confirmed it was aware of a breach involving a third party contractor, but said the data exposed was historical, archived and partially anonymised.”

“It contained limited personally identifiable information of government employees such as work email addresses, and in some cases Australian Government Service numbers and corporate credit card details”, the department said.

The issue was spotted by a Polish security researcher according to an ITNews report which stated that authorities were alerted last month and that most of the credit card numbers were out of date or cancelled. 

The Department of Prime Minister and Cabinet told iTnews that they had known of the breach since early October.

“Once the Australian Cyber Security Centre (ACSC) became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability,” the spokesperson said.

“Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements.”

In a press statement, AMP stated that a small amount of the firm’s data had been left vulnerable. Most of the exposed data pertaining to AMP included detailed staff expenses. According to the firm, the breach happened without their knowledge, and the firm also named a third-party contractor as the cause of the breach.

Australia’s mandatory data breach notification scheme does not commence until February 2018, after which time an organisation will have 30 days to notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals once they become aware of a data breach.

Mark Perry, APAC Chief Technology Officer and Principal Architect, PING Identity. commented: "It's essential to limit the release of Personally Identifiable Information (PII) of end users when choosing a third party outsourcing vendor. In this instance, we have to wonder why government employee passwords were shared with the outsourcer. That's a huge red flag and it should have failed organisational security policy. The baseline for allowing employees access to third party applications and services is using Identity Federation, where corporate passwords are not shared with the third party, and only a minimum of PII is released. The open standards used for identity federation are mature, secure and have been reviewed and audited by a plethora of security-conscious organisations.

"Another major gotcha is outsourcing identity management for employees to an Identity As A Service (IDaaS). While these service providers may tout their security credentials, again it's important to ensure end user passwords are not released to these vendors. Some IDaaS services store or cache end user passwords in the cloud, synchronised from the on-premise Active Directory, to make certain use cases simpler for them to implement. Many organisations, particularly government and those in sensitive and regulated industries like banking and insurance, should have policies which reject this model of password synchronisation to a third party."

"Ping Identity recommends that security-conscious organisations use only third party application vendors and service providers that support Single Sign On using identity federation standards (SAML and OpenID Connect), and IDaaS services that do not store or cache the corporate passwords of end users. Multi-Factor Authentication should be used to provide another layer of security, so that in the unfortunate event of credential loss, unauthorised access to corporate systems and data will be blocked<" said Perry