First State Super breached Privacy Act

Powered by SC Magazine
 

Disclosure crack-down backfires.

Superannuation firm First State Super that issued legal threats against a penetration tester for reporting security holes in its environment has been found in breach of the Privacy Act.

The Office of the Australian Information Commissioner (OAIC) investigated the company after news broke that Sydney-based penetration tester and customer Patrick Webster discovered a direct object reference vulnerability in the fund's website.

The OSI Security consultant had informed IT staff at First State Super about the hole and provided them with a proof of concept bash script which accessed 578 accounts, including members names, addresses, superannuation account details and balances.

First State Super served Webster with legal proceedings (pdf) demanding he hand his computer to the company’s IT staff to ensure data was removed.

Webster, who formerly worked for the NSW Police, went public and the superannuation company later dropped its threats. The company added at the time that it "appreciates" his disclosure and had "no intention of taking any other action against him".

The OAIC found the company in breach of the National Privacy Principles (NPPs) in the Privacy Act because it did not have adequate security measures in place to protect customer information from unauthorised access and disclosure.

“While it is acknowledged that upon becoming aware of the matter, (First State Super) took immediate steps to remedy the situation, this still resulted in a breach of the NPPs”, Privacy Commissioner Timothy Pilgrim said in a statement.

Specifically, Pilgrim found internal audits by parent company Pillar should have detected the flaw even if it were not reported by Webster. This resulted in a breach of NPP 4.1 of the Privacy Act.

The privacy investigation said Pillar ran “over 200 security tests” prior to Webster’s disclosure that did not reveal the direct object reference flaw. The tests were described as “only a sample” of the environment.

Further it said the superannuation company failed to pick up Webster’s bash script in its logs.

As predicted by SC Magazine, the OAIC did not impose penalties against the company because it moved to patch the security holes and immediately informed customers.

Copyright © SC Magazine, Australia


First State Super breached Privacy Act
 
 
 
Top Stories
First look: Microsoft Outlook for iOS
[Update] Office productivity suite for iOS completed with Outlook.
 
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
 
IBM denies plans to cut 112k jobs
But admits to further restructuring.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  36%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3091

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 985

Vote