Ballarat City Council has split up its network management contract after its IP addresses and log-in details of 430 users were lost by a third-party service provider last year.
Twenty-two-year-old Bradley David Ward broke into the network last August after stealing network access details from the unnamed provider.
Council staff thought its systems were secure after performing regular security audits and penetration tests. But they did not expect the local provider of “high-end network support” to be storing details about its network topology and virtual private network passwords on a public-facing, password protected website.
“The third party was hacked and [Ward] got information about our network topology from a site that had [also] had log in and staff security codes,” the council’s information services manager Annie Dejong said.
“It would be reasonable to assume when you give your data to somebody that they would hold it securely [but] you need to be specific about where you expect your data to be held.”
Ward approached the council and informed Dejong of the breach days after it occurred.
Council staff shut down the network for seven days as it implemented the 100 action items in its disaster recovery plan. All critical systems ran in offline mode during that period.
The council performed security checks and rebuilt components of the network with the assistance of vendor partners Infor and AXS-One Computron.
Since the breach, Ballarat City Council has terminated its relationship with the unnamed outsourcer and replaced it with separate contracts for firewall, disaster recovery and network planning services.
Although outsourcing had its risks, Dejong said internal employees – especially disgruntled workers – could also compromise network security.
“I think this happens more than people say,” she said of data breaches. “The value of being a public organisation is we can and should talk about this, so others learn.
“A key lesson is to build relationships with your partners so they clearly understand what your business does.”
‘Non-malicious’ hacker fined
The council determined that Ward had accessed multiple servers but had not stolen any information about Ballarat residents.
Ward also appeared to have tried to access the council’s payroll data but was unsuccessful due to a second layer of security in the Infor software, Dejong said, refuting reports that payroll data was stolen.
“Nothing was stolen and [the hack] wasn’t malicious,” she said, speculating that Ward had broken into the network for bragging rights.
Dejong said council staff would likely have detected the breach even without Ward’s advice, as he had created an unauthorised account in the system.
Ward was fined $6000 by the Ballarat Magistrates Court in April, after pleading guilty to two charges of intentionally causing unauthorised access to restricted data.
His lawyer Hamish Locke reportedly argued that Ward’s “ultimate motives were altruistic” but County Court Judge Sue Pullen and Magistrate Tim McDonald said the sentence needed to deter Ward and the public from committing such offences.
“[The hacker] illegally accessed our computer network and caused an amount of expense and downtime,” Dejong said.
“Nobody really expects that you’ll have to rebuild your network in seven days ... The rebuild took seven days and lots of long nights and working on weekends.”