Ballarat splits outsourcing contract after network hack

Powered by SC Magazine
 

Council blames third party for 2010 breach.

Ballarat City Council has split up its network management contract after its IP addresses and log-in details of 430 users were lost by a third-party service provider last year.

Twenty-two-year-old Bradley David Ward broke into the network last August after stealing network access details from the unnamed provider.

Council staff thought its systems were secure after performing regular security audits and penetration tests. But they did not expect the local provider of “high-end network support” to be storing details about its network topology and virtual private network passwords on a public-facing, password protected website.

“The third party was hacked and [Ward] got information about our network topology from a site that had [also] had log in and staff security codes,” the council’s information services manager Annie Dejong said.

“It would be reasonable to assume when you give your data to somebody that they would hold it securely [but] you need to be specific about where you expect your data to be held.”

Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats.

Ward approached the council and informed Dejong of the breach days after it occurred.

Council staff shut down the network for seven days as it implemented the 100 action items in its disaster recovery plan. All critical systems ran in offline mode during that period.

The council performed security checks and rebuilt components of the network with the assistance of vendor partners Infor and AXS-One Computron.

Since the breach, Ballarat City Council has terminated its relationship with the unnamed outsourcer and replaced it with separate contracts for firewall, disaster recovery and network planning services.

Although outsourcing had its risks, Dejong said internal employees – especially disgruntled workers – could also compromise network security.

“I think this happens more than people say,” she said of data breaches. “The value of being a public organisation is we can and should talk about this, so others learn.

“A key lesson is to build relationships with your partners so they clearly understand what your business does.”

‘Non-malicious’ hacker fined

The council determined that Ward had accessed multiple servers but had not stolen any information about Ballarat residents.

Ward also appeared to have tried to access the council’s payroll data but was unsuccessful due to a second layer of security in the Infor software, Dejong said, refuting reports that payroll data was stolen.

“Nothing was stolen and [the hack] wasn’t malicious,” she said, speculating that Ward had broken into the network for bragging rights.

Dejong said council staff would likely have detected the breach even without Ward’s advice, as he had created an unauthorised account in the system.

Ward was fined $6000 by the Ballarat Magistrates Court in April, after pleading guilty to two charges of intentionally causing unauthorised access to restricted data.

His lawyer Hamish Locke reportedly argued that Ward’s “ultimate motives were altruistic” but County Court Judge Sue Pullen and Magistrate Tim McDonald said the sentence needed to deter Ward and the public from committing such offences.

“[The hacker] illegally accessed our computer network and caused an amount of expense and downtime,” Dejong said.

“Nobody really expects that you’ll have to rebuild your network in seven days ... The rebuild took seven days and lots of long nights and working on weekends.”

Copyright © iTnews.com.au . All rights reserved.


Ballarat splits outsourcing contract after network hack
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 337

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 140

Vote