Massive data breach hits Australia

Massive data breach hits Australia

A third party IT contractor breach has exposed 50,000 Australian personal records including full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses. Human error is again the culprit with a misconfigured Amazon Cloud solution.

From February 2018, organisations that are required to comply with the Privacy Act will be required to report such a data breach to the Privacy Commissioner.

This is a classic example of the sort of exposure that a cyber insurance policy is designed to address.

CRM Brokers can arrange a policy that provides your business with a 24/7 incident support service to ensure professionals are readily available to help get your business back up and running as soon as possible after a cyber-attack.

The incident support will provide peace of mind through managing remediation, customer communications / notification, public relations / brand damage challenge and potential subsequent litigation.

Case Study

The personal details of almost 50,000 Australian employees of several government agencies, banks and a utility have been exposed online by a third-party contractor. In what appears to be the country’s second largest data breach behind the leak of information on 550,000 blood donors last year, iTnews can reveal that 48,270 personal records were left openly accessible as a result of a misconfigured Amazon S3 bucket.
The records were discovered by a Polish security researcher going by the moniker Wojciech who conducted a search for Amazon S3 buckets set to open, with “dev”, “stage”, or “prod” in the domain name, and containing specific file types like xls, zip, pdf, doc and csv.

The files he found include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses.
Insurer AMP was the most impacted, with 25,000 staff records exposed as a result of the misconfiguration.
Utility UGL was affected to the tune of 17,000 records, while 1500 pieces of employee data were discovered from Rabobank.

The databases were backups made in March 2016. Wojciech said most of the credit card numbers had been cancelled, and many of the records were available in duplicate. The location of the files in a single S3 bucket and the similar appearance of the table schema in each backup suggests one contractor is behind the breach. None of the impacted organisations would name the third party.

AMP confirmed a “limited amount of company data” on staff expenses had been inadvertently exposed by a third-party supplier. “The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed. No customer data was compromised at any time,” a spokesperson told iTnews. Wojciech said he contacted AMP and the Defence department in early October about the issue, only receiving a response from the government agency.

From February, next year organisations will be required to report a data breach to the Office of the Australian Information Commissioner.

Which Cyber Insurance policy is right for you?

There is no such thing as an impenetrable system; this is why in today’s digital age, Cyber Insurance is a must for your business to mitigate your exposure in the event of a cyber-attack.
Find out how little it costs to protect your business from the costs attached to a cyber-attack. You can obtain a Cyber Insurance quote online in a matter of minutes, click here to begin.

Contact CRM Brokers today; we will work with you to help protect your business from this emerging risk, visit our Cyber Insurance page or call us on 1300 880 494.

Stay Informed – Connect with us on LinkedIn
Important Notice

This article provides information rather than financial product or other advice. The content of this article, including any information contained in it, has been prepared without taking into account your objectives, financial situation or needs. You should consider the appropriateness of the information, taking these matters into account, before you act on any information. In particular, you should review the product disclosure statement for any product that the information relates to it before acquiring the product.

Information is current as at the date the article is written as specified within it but is subject to change. CRM Brokers make no representation as to the accuracy or completeness of the information. Various third parties have contributed to the production of this content. All information is subject to copyright and may not be reproduced without the prior written consent of CRM Brokers.