Contractor breach exposes 50k Aussie govt, bank staff records

The personal details of almost 50,000 Australian employees of several government agencies, banks and a utility have been exposed online by a third-party contractor.

In what appears to be the country's second largest data breach behind the leak of information on 550,000 blood donors last year, iTnews can reveal that 48,270 personal records were left openly accessible as a result of a misconfigured Amazon S3 bucket.

The records were discovered by a Polish security researcher going by the moniker Wojciech (@PoszerzHoryzont on Twitter) who conducted a search for Amazon S3 buckets set to open, with “dev”, “stage”, or “prod” in the domain name, and containing specific file types like xls, zip, pdf, doc and csv.

The files he found include full names, passwords, IDs, phone numbers, and email addresses as well as some credit card numbers and details on staff salaries and expenses.

Insurer AMP was the most impacted, with 25,000 staff records exposed as a result of the misconfiguration.

Utility UGL was affected to the tune of 17,000 records, while 1500 pieces of employee data were discovered from Rabobank.

Several thousand government employee details were also leaked: 3000 at the Department of Finance, 1470 at the Australian Electoral Commission, and 300 at the National Disability Insurance Agency.

The databases were backups made in March 2016. Wojciech said most of the credit card numbers had been cancelled, and many of the records were available in duplicate.

The location of the files in a single S3 bucket and the similar appearance of the table schema in each backup suggests one contractor is behind the breach.

None of the impacted organisations would name the third party.

In a statement to iTnews the Department of Prime Minister and Cabinet - the parent agency for the Australian Cyber Security Centre - said it had been alerted to the breach in early October.

"Once the Australian Cyber Security Centre (ACSC) became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability," the spokesperson said.

"Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements."

The agency urged any other affected organisations to contact the ACSC.

AMP confirmed a "limited amount of company data" on staff expenses had been inadvertently exposed by a third-party supplier.

"The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed. No customer data was compromised at any time," a spokesperson told iTnews.

"AMP treats data security very seriously and has strict policies in place regarding the handling of data with third party vendors. We are reviewing the situation to ensure standards are maintained."

UGL declined to comment. Rabobank declined to comment while an investigation was underway.

Wojciech said he contacted AMP and the Defence department in early October about the issue, only receiving a response from the government agency.

The Australian Signals Directorate told Wojciech in emails sighted by iTnews that it had worked with the contractor to apply access control lists to the data to prevent further unauthorised access. It would not comment on whether anyone other than the researcher had accessed the data.

From February next year organisations will be required to report a data breach to the Office of the Australian Information Commissioner.

Know more? Get in touch