First State Super drops Webster legal threats

Powered by SC Magazine
 

Never intended to take action.

First State Superannuation has dropped legal threats against security consultant Patrick Webster for disclosing a security hole without authorisation.

The company had served Webster with a legal document (pdf) which demanded he provide the company's IT staff access to his computer.

First State was concerned Webster had kept a store of customer data obtained after he demonstrated a direct object reference vulnerability in the fund's website, through which he accessed 578 accounts using a script.

Webster, a former security professional in the NSW Police turned consultant, went public to Risky.Business and SC last week.

The dropped legal undertakings

 "There has recently been some media coverage about unauthorised access to our members’ online benefit statements. The members whose statements were viewed have been notified," a statement from First State read.

"While he [Webster] immediately contacted us and disclosed his actions, claiming that his objective was to highlight a security weakness, not to commit fraud, his actions were nevertheless a serious breach of privacy legislation and First State Super was obliged to report the matter in accordance with the recommendations of the Privacy Commissioner."

First State reported the issue to the NSW Police to "ensure that any unauthorised copies of the member statements involved were destroyed".

"We have no doubt that First State Super members would expect such certainty in relation to the privacy of their information," it said.

The NSW Privacy Commissioner was investigating the security flaw. It appeared unlikely that an undertaking would be imposed on First State Super because it patched the vulnerability immediately and informed customers.

First State said it "appreciates" Webster's disclosure and had "no intention of taking any other action against him".

But it wasn't the first or the last company to threaten Webster.

During recent security tests with his consultancy OSI Security, Webster discovered holes in a rival information security firm's content management system (CMS).

Webster discovered a bypass of the CMS web log in. He advised the company immediately at about 11pm because administrative pages could be trawled by search bots.

"The next day their email system had crashed," Webster said. "I guess the staff thought I had something to do with it. They threatened to call the police."

This time the situation was quickly defused and the vulnerability was fixed.

Security testers will continue to face threats for disclosing vulnerabilities to unprepared businesses.

Penetration testers Chris Gatford and Drazen Drazic said security professionals are inherently inquisitive and must balance the desire to help fix bugs with the risk of litigation.

Webster said he would thoroughly evaluate this risk but did not rule out future unauthorised disclosures.

Copyright © SC Magazine, Australia


First State Super drops Webster legal threats
 
 
 
Top Stories
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
Microsoft confirms Australian Azure launch
Available from next week.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 303

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  59%
 
No
  41%
TOTAL VOTES: 114

Vote