Super fund threatens customer with vulnerability repair bill

Powered by SC Magazine
 

First State Super demands to access security researcher's computer.

A security consultant who quietly informed First State Super about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat warning that he may be forced to pay the cost of fixing the flaw.

A legal document (pdf) sent on behalf of First State Super and fund administrator Pillar demanded that Patrick Webster provide the company's IT staff access to his computer.

The company acknowledged in the document that Webster had reported the flaw in good faith but warned that he may have contravened the NSW Computer Crimes Act by accessing another customer's data.

Webster, a customer of First State Super, found a direct object reference vulnerability in a statement emailed on 24 September.

He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.

That account contained information including name, address, date of birth and financial payments.

Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats.

Webster notified his colleague and contacted Adam Jarrett of Pillar hours later and informed them of the vulnerability and that he had not accessed other accounts or retained customer data.

He said the company thanked him for reporting the issue and fixed the flaw within 24 hours.

But the company commenced legal action against Webster and informed NSW Police of what it considered a breach of the NSW Computer Crimes Act.

Burwood police detectives questioned Webster on Wednesday night. First State Super has not returned requests for comment by iTnews' sister publication SC Magazine.

“You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police,” the letter signed by Minter Ellison partner Maged Girgis said

“Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, your actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.

“Your unauthorised access also constitutes a breach of [Pillar’s terms] and has caused the Trustee to expend members funds in dealing with this matter.”

The letter warned that the “Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms”.

It demanded that Webster delete all records to which he had “gained authorised access” and allow IT personnel the right to verify the destruction of the data.

Webster's online account with the fund was also suspended.

Copyright © SC Magazine, Australia


Super fund threatens customer with vulnerability repair bill
 
 
 
Top Stories
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Telcos finally briefed on data retention details
Update: AGD offers list of data to be stored.
 
Qld Health hires short-term CIO, CTO
Ray Brown leaves after five years at IT helm.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  67%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  7%
 
Insider threats
  12%
TOTAL VOTES: 559

Vote