Bottle Domains dumped by auDA over security breach

By on
Bottle Domains dumped by auDA over security breach

The Australian domain name administrator has ruled out a review of its registrar agreements in the wake of its decision to terminate Bottle Domains accreditation today over a security breach.

auDA took the action after it emerged Bottle may have hidden the hacking of its database for almost two years.

A spokesperson for Bottle was "not available" for comment.

The termination has left Bottle resellers such as Melbourne-based Cove "between a rock and a hard place" - with Cove, Bottle's largest reseller, now making a play to become a registrar in its own right.

Bottle, which counts some 11,000 registrants as customers, is the subject of an ongoing investigation by the Australian Federal Police after it was revealed in February that usernames and passwords had been compromised in a ‘security breach'.

It has now emerged, however, that the February ‘breach' may not have been the first.

In a statement today, auDA said it "has since discovered that Bottle Domains was the subject of an earlier security incident in April 2007, which auDA believes may have caused or contributed to the security incident in February 2009."

iTnews understands that the hack reported in February this year may actually have taken place back in April 2007 - some two years earlier than first thought.

This could mean data over the range of 2007 to 2009 may have been compromised, although the extent of the breach is still under police investigation.

auDA said in a statement that Bottle's failure to notify it at the time of the April 2007 security incident breached its obligations under the Registrar Agreement.

"Information recently provided to auDA by Bottle Domains about the April 2007 incident revealed that it did not reset customer passwords or alert its customers to the possibility that their account information had been accessed by third parties," auDA said.

"Bottle Domains also failed to conduct an independent security audit to verify that the security vulnerability had been fixed, and that there was no other unauthorised access to its systems."

aUDA chief Chris Disspain told iTnews that although the definitions for what does and doesn't constitute a security breach under current guidelines "is a matter for discussion", he expected all Australian registrars "to err on the side of caution".

He did not believe the Bottle case warranted a review or tightening of the agreement.

"You can argue that tighter rules are more dangerous because it's easier to argue a breach that doesn't fit into a tighter ‘box' of rules," Disspain said.

Disspain also said he had ‘absolutely no idea' whether Bottle would turn to legal action over the decision.

"They're entitled to take whatever action they deem appropriate," he said.

"We're very comfortable the action we've taken is appropriate. We believe we simply didn't have a choice."

Bottle resellers are now faced with a choice of forming a relationship with another registrar or - depending on their size and lobbying power - becoming a registrar in their own right.

Cove's national sales manager, Cheyne Jonstone, told iTnews that since news of the termination leaked out of auDA, Cove had been approached "by just about every [other] registrar in Australia".

But few offers had been able to offer flexibility in the API and pricing that Cove had received from Bottle.

"Our entire system has been built around Bottle's," Jonstone said.

"The problem for us is that no other registrar offers the comprehensiveness in their API as Bottle did."

Jonstone revealed that Cove is in the process of making an approach to auDA to reopen its registration process - which has been offline for approximately 18 months - to admit Cove as a registrar in its own right.

"We've been trying since March last year," he revealed.

"We have 3000 dot AU domains with Bottle now. We're large enough to be accredited anyway and for us that would be ideal because our system is already built to interact with auDA."

He said the phones "had been ringing off the hook" with domain owners seeking next steps. All customers had been notified of auDA's decision by email.

auDA has released its own set of guidelines [PDF] for both customers and resellers. While Disspain said there was no risk for either customers or resellers, he urged the latter to contact him directly to resolve any potential issues.

Got a news tip for our journalists? Share it with us anonymously here.

Most Read Articles

Log In

  |  Forgot your password?