First State Super breached privacy law

Security researcher cleared.

Superannuation firm First State Super has been found in breach of the Privacy Act after exposing sensitive data to existing customers on its website.

In a final report [pdf] released yesterday, Privacy Commissioner Timothy Pilgram found the company in breach of the National Privacy Principles (NPPs) in the Privacy Act because it did not have adequate security measures in place to protect customer information from unauthorised access and disclosure.

Though First State Super did not disclose information to a third party, the commissioner found the firm had not taken reasonable steps to protect the personal information held in the members section of its website.

An investigation by the commissioner after the breach in October 2011 found the company had "conducted a number of tests of sample web pages prior to the incident", including 200 internal examinations, but failed to properly test the area found to be vulnerable to attack by existing customers.

Specifically, Pilgrim found internal audits by parent company Pillar should have detected the flaw. This resulted in a breach of NPP 4.1 of the Privacy Act.

"In my view, FSS would have had the capacity to remedy this flaw in its system. For this reason I found that FSS had failed to take reasonable steps to protect the personal information it held, and had breached the Privacy Act,” Pilgrim said.

The commissioner did not impose penalties against the company, however, because it moved to patch the security holes and immediately informed customers.

“Incidents such as this are very concerning particularly when sensitive personal details, such as financial information are accessed by an unauthorised person,” Pilgrim said.

“I acknowledge the speed with which FSS acted when they became aware of the incident, immediately containing the incident, notifying affected members and commencing an internal investigation.”

The company hit headlines last year after issuing legal threats against OSI Security consultant and penetration tester, Patrick Webster, for finding and reporting the security holes to the company.

An existing customer with the fund, Webster had informed IT staff at First State Super about the hole and provided them with a proof of concept which accessed 578 customer accounts, including members' names, addresses, superannuation account details and balances.

First State Super served Webster with legal proceedings [pdf], demanding he hand his computer to the company’s IT staff to ensure data was removed.

Charges and an investigation by NSW Police have since been dropped. The commissioner also cleared Webster of wrongdoing in his report.