A security consultant who quietly informed First State Super about a web vulnerability that potentially put millions of customers at risk has been slapped with a legal threat warning that he may be forced to pay the cost of fixing the flaw.
A legal document (pdf) sent on behalf of First State Super and fund administrator Pillar demanded that Patrick Webster provide the company's IT staff access to his computer.
The company acknowledged in the document that Webster had reported the flaw in good faith but warned that he may have contravened the NSW Computer Crimes Act by accessing another customer's data.
Webster, a customer of First State Super, found a direct object reference vulnerability in a statement emailed on 24 September.
He had increased a numerical value in a URL used to access his statement by one digit and was granted access to a former colleagues' account.
That account contained information including name, address, date of birth and financial payments.
Webster notified his colleague and contacted Adam Jarrett of Pillar hours later and informed them of the vulnerability and that he had not accessed other accounts or retained customer data.
He said the company thanked him for reporting the issue and fixed the flaw within 24 hours.
But the company commenced legal action against Webster and informed NSW Police of what it considered a breach of the NSW Computer Crimes Act.
Burwood police detectives questioned Webster on Wednesday night. First State Super has not returned requests for comment by iTnews' sister publication SC Magazine.
“You should be aware that due to the serious nature of your actions, this matter has been reported to the NSW Police,” the letter signed by Minter Ellison partner Maged Girgis said
“Whilst you have indicated that your actions were motivated by an attempt to show that it is possible for a wrongdoer to obtain unauthorised access to Pillar's systems, your actions may themselves be considered a breach of section 308H of the Crimes Act 1900 (NSW) and section 478.
“Your unauthorised access also constitutes a breach of [Pillar’s terms] and has caused the Trustee to expend members funds in dealing with this matter.”
The letter warned that the “Trustee has the right to seek recovery from you for the costs incurred in accordance with those terms”.
It demanded that Webster delete all records to which he had “gained authorised access” and allow IT personnel the right to verify the destruction of the data.
Webster's online account with the fund was also suspended.