First State Super drops Webster legal threats

By on
First State Super drops Webster legal threats

Never intended to take action.

First State Superannuation has dropped legal threats against security consultant Patrick Webster for disclosing a security hole without authorisation.

The company had served Webster with a legal document (pdf) which demanded he provide the company's IT staff access to his computer.

First State was concerned Webster had kept a store of customer data obtained after he demonstrated a direct object reference vulnerability in the fund's website, through which he accessed 578 accounts using a script.

Webster, a former security professional in the NSW Police turned consultant, went public to Risky.Business and SC last week.

The dropped legal undertakings

 "There has recently been some media coverage about unauthorised access to our members’ online benefit statements. The members whose statements were viewed have been notified," a statement from First State read.

"While he [Webster] immediately contacted us and disclosed his actions, claiming that his objective was to highlight a security weakness, not to commit fraud, his actions were nevertheless a serious breach of privacy legislation and First State Super was obliged to report the matter in accordance with the recommendations of the Privacy Commissioner."

First State reported the issue to the NSW Police to "ensure that any unauthorised copies of the member statements involved were destroyed".

"We have no doubt that First State Super members would expect such certainty in relation to the privacy of their information," it said.

The NSW Privacy Commissioner was investigating the security flaw. It appeared unlikely that an undertaking would be imposed on First State Super because it patched the vulnerability immediately and informed customers.

First State said it "appreciates" Webster's disclosure and had "no intention of taking any other action against him".

But it wasn't the first or the last company to threaten Webster.

During recent security tests with his consultancy OSI Security, Webster discovered holes in a rival information security firm's content management system (CMS).

Webster discovered a bypass of the CMS web log in. He advised the company immediately at about 11pm because administrative pages could be trawled by search bots.

"The next day their email system had crashed," Webster said. "I guess the staff thought I had something to do with it. They threatened to call the police."

This time the situation was quickly defused and the vulnerability was fixed.

Security testers will continue to face threats for disclosing vulnerabilities to unprepared businesses.

Penetration testers Chris Gatford and Drazen Drazic said security professionals are inherently inquisitive and must balance the desire to help fix bugs with the risk of litigation.

Webster said he would thoroughly evaluate this risk but did not rule out future unauthorised disclosures.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?