First State Super drops Webster legal threats

Powered by SC Magazine
 

Never intended to take action.

First State Superannuation has dropped legal threats against security consultant Patrick Webster for disclosing a security hole without authorisation.

The company had served Webster with a legal document (pdf) which demanded he provide the company's IT staff access to his computer.

First State was concerned Webster had kept a store of customer data obtained after he demonstrated a direct object reference vulnerability in the fund's website, through which he accessed 578 accounts using a script.

Webster, a former security professional in the NSW Police turned consultant, went public to Risky.Business and SC last week.

The dropped legal undertakings

 "There has recently been some media coverage about unauthorised access to our members’ online benefit statements. The members whose statements were viewed have been notified," a statement from First State read.

"While he [Webster] immediately contacted us and disclosed his actions, claiming that his objective was to highlight a security weakness, not to commit fraud, his actions were nevertheless a serious breach of privacy legislation and First State Super was obliged to report the matter in accordance with the recommendations of the Privacy Commissioner."

First State reported the issue to the NSW Police to "ensure that any unauthorised copies of the member statements involved were destroyed".

"We have no doubt that First State Super members would expect such certainty in relation to the privacy of their information," it said.

The NSW Privacy Commissioner was investigating the security flaw. It appeared unlikely that an undertaking would be imposed on First State Super because it patched the vulnerability immediately and informed customers.

First State said it "appreciates" Webster's disclosure and had "no intention of taking any other action against him".

But it wasn't the first or the last company to threaten Webster.

During recent security tests with his consultancy OSI Security, Webster discovered holes in a rival information security firm's content management system (CMS).

Webster discovered a bypass of the CMS web log in. He advised the company immediately at about 11pm because administrative pages could be trawled by search bots.

"The next day their email system had crashed," Webster said. "I guess the staff thought I had something to do with it. They threatened to call the police."

This time the situation was quickly defused and the vulnerability was fixed.

Security testers will continue to face threats for disclosing vulnerabilities to unprepared businesses.

Penetration testers Chris Gatford and Drazen Drazic said security professionals are inherently inquisitive and must balance the desire to help fix bugs with the risk of litigation.

Webster said he would thoroughly evaluate this risk but did not rule out future unauthorised disclosures.

Copyright © SC Magazine, Australia


First State Super drops Webster legal threats
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1071

Vote