First State Super drops Webster legal threats

Powered by SC Magazine

Never intended to take action.

First State Superannuation has dropped legal threats against security consultant Patrick Webster for disclosing a security hole without authorisation.

The company had served Webster with a legal document (pdf) which demanded he provide the company's IT staff access to his computer.

First State was concerned Webster had kept a store of customer data obtained after he demonstrated a direct object reference vulnerability in the fund's website, through which he accessed 578 accounts using a script.

Webster, a former security professional in the NSW Police turned consultant, went public to Risky.Business and SC last week.

The dropped legal undertakings

 "There has recently been some media coverage about unauthorised access to our members’ online benefit statements. The members whose statements were viewed have been notified," a statement from First State read.

"While he [Webster] immediately contacted us and disclosed his actions, claiming that his objective was to highlight a security weakness, not to commit fraud, his actions were nevertheless a serious breach of privacy legislation and First State Super was obliged to report the matter in accordance with the recommendations of the Privacy Commissioner."

First State reported the issue to the NSW Police to "ensure that any unauthorised copies of the member statements involved were destroyed".

"We have no doubt that First State Super members would expect such certainty in relation to the privacy of their information," it said.

The NSW Privacy Commissioner was investigating the security flaw. It appeared unlikely that an undertaking would be imposed on First State Super because it patched the vulnerability immediately and informed customers.

First State said it "appreciates" Webster's disclosure and had "no intention of taking any other action against him".

But it wasn't the first or the last company to threaten Webster.

During recent security tests with his consultancy OSI Security, Webster discovered holes in a rival information security firm's content management system (CMS).

Webster discovered a bypass of the CMS web log in. He advised the company immediately at about 11pm because administrative pages could be trawled by search bots.

"The next day their email system had crashed," Webster said. "I guess the staff thought I had something to do with it. They threatened to call the police."

This time the situation was quickly defused and the vulnerability was fixed.

Security testers will continue to face threats for disclosing vulnerabilities to unprepared businesses.

Penetration testers Chris Gatford and Drazen Drazic said security professionals are inherently inquisitive and must balance the desire to help fix bugs with the risk of litigation.

Webster said he would thoroughly evaluate this risk but did not rule out future unauthorised disclosures.

Copyright © SC Magazine, Australia

First State Super drops Webster legal threats
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
Sign up to receive iTnews email bulletins
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.