Super fund threatens customer with vulnerability repair bill

Powered by SC Magazine

First State Super demands to access security researcher's computer.

A security consultant who quietly informed First State Super about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat warning that he may be forced to pay the cost of fixing the flaw.

A legal document (pdf) sent on behalf of First State Super and fund administrator Pillar demanded that Patrick Webster provide the company's IT staff access to his computer.

The company acknowledged in the document that Webster had reported the flaw in good faith but warned that he may have contravened the NSW Computer Crimes Act by accessing another customer's data.

Webster, a customer of First State Super, found a direct object reference vulnerability in a statement emailed on 24 September.

He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.

That account contained information including name, address, date of birth and financial payments.

Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats.

Webster notified his colleague and contacted Adam Jarrett of Pillar hours later and informed them of the vulnerability and that he had not accessed other accounts or retained customer data.

He said the company thanked him for reporting the issue and fixed the flaw within 24 hours.

But the company commenced legal action against Webster and informed NSW Police of what it considered a breach of the NSW Computer Crimes Act.

Burwood police detectives questioned Webster on Wednesday night. First State Super has not returned requests for comment by iTnews' sister publication SC Magazine.

“You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police,” the letter signed by Minter Ellison partner Maged Girgis said

“Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, your actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.

“Your unauthorised access also constitutes a breach of [Pillar’s terms] and has caused the Trustee to expend members funds in dealing with this matter.”

The letter warned that the “Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms”.

It demanded that Webster delete all records to which he had “gained authorised access” and allow IT personnel the right to verify the destruction of the data.

Webster's online account with the fund was also suspended.

Copyright © SC Magazine, Australia

Super fund threatens customer with vulnerability repair bill
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.