The Australian Competition and Consumer Commission (ACCC) has pinned the blame for its embarrassing premature disclosure of the TPG and Vodafone Australia merger rejection on an as yet unspecified glitch in its website content management system, which the regulator says has now been patched.
In a statement issued on Thursday afternoon, the ACCC said it has now “conducted a full investigation into the incident and identified that it was caused by a flaw in its website content management system, which has been rectified.”
A quick perusal of HTML on the ACCC’s web pages, including its mergers section reveals Drupal 7 is used for public facing pages, including its mergers register, though it’s unclear what else is in the mix.
The ACCC went to market for a Drupal CMS in 2012 to replace its locally cut Sytadel CMS. Drupal also later became the open source software base for the GovCMS platform that was provided initially by Acquia for federal agencies.
The ACCC has declined to disclose the provider or version of the flawed CMS.
The ACCC's premature online reveal caused TPG’s shares to dive on the day, angering the proposed merger parties who have since said they will fight to overturn the rejection in the Federal Court.
“The information became public when, following the normal practice ahead of announcements, the information was being input into the back end of the mergers register, a third-party user sought to access the existing webpage at the precise moment it was being updated,” the ACCC said in its statement.
“The ACCC’s information technology team has rectified the flaw by applying a patch to the software.”
However that revelation begs the question as to how and why a federal government market regulator in custody of sensitive and highly confidential information was running unpatched systems at all given the potential for damage from leaked or inadvertently exposed content.
“Instead of the new information being treated as draft content requiring internal approval, the flaw meant the content was live for eight minutes,” the ACCC said.
“Because the information went live just before 3pm, the ACCC worked quickly to issue a statement confirming the merger decision to both the ASX and the market.”
Chief Operating Officer Rayne de Gruchy drew the short straw to eat humble pie in public.
“We apologise unreservedly for this unfortunate and serious incident,” de Gruchy said.
“The ACCC has successfully managed highly market-sensitive commercial information for decades and this is the first time, to our knowledge, that a merger decision has been released in this manner.”
However the revelation that a flaw in an unpatched application can expose highly sensitive documents is certain to put other agencies on edge, especially if could be facing similar risks.
It is now routine for many regulators and authorities to publish market sensitive decisions and documents via their web pages as the primary distribution mechanism.
They include, but are not limited to the Reserve Bank of Australia, Australian Bureau of Statistics, Treasury and the Australian Securities and Investments Commission.
Those organisations are certain to be watching the ACCC’s statements and remediation efforts closely, especially for whether its problems could be more common across government.