First State Super drops Webster legal threats

Powered by SC Magazine
 

Never intended to take action.

First State Superannuation has dropped legal threats against security consultant Patrick Webster for disclosing a security hole without authorisation.

The company had served Webster with a legal document (pdf) which demanded he provide the company's IT staff access to his computer.

First State was concerned Webster had kept a store of customer data obtained after he demonstrated a direct object reference vulnerability in the fund's website, through which he accessed 578 accounts using a script.

Webster, a former security professional in the NSW Police turned consultant, went public to Risky.Business and SC last week.

The dropped legal undertakings

 "There has recently been some media coverage about unauthorised access to our members’ online benefit statements. The members whose statements were viewed have been notified," a statement from First State read.

"While he [Webster] immediately contacted us and disclosed his actions, claiming that his objective was to highlight a security weakness, not to commit fraud, his actions were nevertheless a serious breach of privacy legislation and First State Super was obliged to report the matter in accordance with the recommendations of the Privacy Commissioner."

First State reported the issue to the NSW Police to "ensure that any unauthorised copies of the member statements involved were destroyed".

"We have no doubt that First State Super members would expect such certainty in relation to the privacy of their information," it said.

The NSW Privacy Commissioner was investigating the security flaw. It appeared unlikely that an undertaking would be imposed on First State Super because it patched the vulnerability immediately and informed customers.

First State said it "appreciates" Webster's disclosure and had "no intention of taking any other action against him".

But it wasn't the first or the last company to threaten Webster.

During recent security tests with his consultancy OSI Security, Webster discovered holes in a rival information security firm's content management system (CMS).

Webster discovered a bypass of the CMS web log in. He advised the company immediately at about 11pm because administrative pages could be trawled by search bots.

"The next day their email system had crashed," Webster said. "I guess the staff thought I had something to do with it. They threatened to call the police."

This time the situation was quickly defused and the vulnerability was fixed.

Security testers will continue to face threats for disclosing vulnerabilities to unprepared businesses.

Penetration testers Chris Gatford and Drazen Drazic said security professionals are inherently inquisitive and must balance the desire to help fix bugs with the risk of litigation.

Webster said he would thoroughly evaluate this risk but did not rule out future unauthorised disclosures.

Copyright © SC Magazine, Australia


First State Super drops Webster legal threats
 
 
 
Top Stories
Turnbull introduces data retention legislation
Still no definition of metadata to be stored.
 
Images: the next frontier in data analytics?
Barclay’s global data chief says we’re still at the starting line.
 
Crime Commission prepares core systems overhaul
Will replace 30 year-old national criminal database.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  27%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  14%
 
Software development
  25%
TOTAL VOTES: 429

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  54%
 
No
  46%
TOTAL VOTES: 206

Vote