That a teen hacker not only managed to find an easily exploitable security hole in Public Transport Victoria's website is bad enough, but it got a whole lot worse when he took his findings to the news media.
The story unfolded during the Christmas holidays when people were on leave, but that didn't stop the publicity from damaging the PTV brand. Security experts lambasted the agency for not taking good care of customer data.
The case - unsurprisingly - sparked off a drive within the organisation to manage future incidents better and to ensure security breaches were minimised.
While the incident did not constitute a data breach - the data involved was old and out of date - it nevertheless showed up weaknesses in PTV’s security posture as well as the organisation’s preparedness for when incidents occur.
Putting out the fires from this attack may seem like an unenviable task to take on, but PTV’s manager of information security, Abbas Kudrati, approached the problem strategically and implemented a cyber security incident plan with a business focus.
“It was a methodical build-up to boost the security posture of PTV, following best practices and standards," Kudrati said.
This involved using frameworks such as the US National Institute of Standards and Technology (NIST) and the Control Objectives for Information and Related Technology version 5 (COBIT 5) to assess PTV’s cyber security incident response capability.
Picking a set of partners such as AusCERT and CyberSource for early alarm and network monitoring, and implementing credit card fraud analytics, also formed part of the plan to get on top of PTV’s security readiness.
The first two phases of the project took nine months. An ongoing follow-up phase with continuous reviews completed the project implementation.
According to Kudrati, the results were worth it: after implementing CyberSource's analysis engine - used for every Myki purchase - over 8000 credit cards linked through false registrations were blocked, taking a major chunk out of the $1.1 million in credit card fraud PTV had suffered since July 2013.
It has reduced PTV's financial exposure by a staggering 75 percent.
Every hacking attempt on PTV portals is now analysed with classification and priority levels assigned as per a predefined process; no more “panic mode” when a new attack is discovered.
For Kudrati, the incident and successful rollout of the program has also meant much greater visibility within the business for his work.
“The board wants to be briefed on security now and there’s recognition by the chief executive on the importance of the work,” Kudrati said.
“Ultimately, the experience has been to turn something very negative into a positive thing, and it’s been great to see that happen."
Public Transport Victoria's incident management plan is a finalist in the SC Benchmark awards.