Vic water utilities stored clear text credit cards, used default passwords

A Victorian Government audit has revealed security deficiencies at several state-owned water entities, including poor handling and retention of credit and debit card details, use of default passwords and "inappropriate" system access.

The deficiencies prompted the state's auditor-general Des Pearson to seek urgent action from the unnamed water utilities on credit and debit card handling policies, PCI-DSS compliance and "default security settings on ... key information systems and databases". (pdf)

Pearson uncovered two water entities that retained the CCV numbers of customers, one entity that did not mask card numbers to only show the last four digits, and one entity that did not restrict access to customers' "credit or debit card details".

His report does not identify whether the problems relate to separate utilities, or whether one or two of the entities had multiple card security issues.

However, he noted elsewhere in the report that utilities reported three issues in 2011-12 that related to "data security over payments from customers by credit or debit card".

PCI-DSS self-assessment

Of the 19 water utilities audited, 10 had staff that processed credit and debit card data, and seven of those 10 utilities "had self-assessed their compliance" with the Payment Card Industry-Data Security Standard (PCI-DSS).

"Four of the entities that had conducted a self-assessment determined that they were not compliant with the requirements of the PCI–DSS," Pearson noted.

"Three of these had subsequently developed strategies to achieve compliance."

He noted all water entities used third parties "to capture, process, transmit and/or store customer credit and debit card information and data", and all third parties were in PCI-DSS compliance.

"Water entities should invest in improving the protection of their customers' credit and debit card information and data," Pearson wrote.

"Poor security controls and non-compliance with PCI-DSS increases the risk of identity theft and fraud, thereby exposing the water entity to reputational risk and financial penalties".

System access

Other security lapses saw four water utilities statewide still using the default passwords on "key systems and databases that are part of the [point-of-sale] system".

In addition, 10 of the 19 water utilities in the state suffered a total of 54 IT "control weaknesses" in 2011-12.

The highest proportion of those issues - 39 percent, or 21 issues in real terms - related to "inappropriate or inadequate systems access, such as access to privileged user accounts, removal of terminated users' accounts, physical access to secure IT areas, and ongoing review of user accounts".

"Information held by water entities about employees, customers and suppliers, and the financial and operational aspects of the business can be highly sensitive," Pearson wrote.

"It needs to be protected from unauthorised access, theft or manipulation."

A further five of the 54 issues related to "password settings" and seven issues to "information system policies and procedures". Twelve IT control issues are simply classified as "other".

Of all internal control weaknesses - IT and non-IT - identified by Pearson, the highest proportion, some 48 percent, were IT-related.

Ten of the 19 utilities were also blasted for failing to rectify 41 internal control weaknesses identified by Pearson in the previous years' audit. Of the outstanding control issues, 66 percent were IT-related.

Pearson noted the outstanding issue count "reflects poorly on the governing body and management of the 10 water entities".