Super company with security bugs
Poor IT security controls at First State Super allowed unauthorised access to members’ account statements, breaching privacy laws.
Information technology security professional at First State Super, Patrick Webster, discovered he could access other members’ statements by changing the digits in the web URL late last month.
Host of IT security podcast Risky.Biz, Patrick Gray reported the first incident on his website. “In 10 years of security reporting, this is the most spectacular backfire I have ever seen. First State’s IT system was not properly constructed at all. I am stunned if Pat Webster is the first guy to have done this.”
Mr Webster was able to access 568 members’ private details and reported the flaw to the company’s IT provider, Pillar Administration.
IT security researcher, Ryan Pereira said: “This raises several important questions for the industry.”
“One, why was a simple bug like this not identified, escalated and resolved quickly? And two, even if you missed this in your day to day operations, any large organisation like First State, should have picked this up subsequently in their IT security audit. Three, why has First State sent a lawyer and the police to Webster?”
Google and Facebook have a ‘bounty on bugs’ policy, he said. They reward anyone who reports IT breaches or errors found in their website security.
Mr Pereira said: “Perhaps doing something like Google or Facebook could eradicate these missed errors. It is a collaborative move.
“Maybe First State or Pillar does not have proper IT security audit policies. Maybe this calls for legislation on mandatory IT security audits for organisations who handle people’s private information.”
Mr Gray said he was surprised at the way Webster was treated.
“It’s appalling. It’s arse covering. Something went wrong up the chain at First State and someone decided they need to pin their incompetence on this ‘clever hacker’.”
“It is wrong to focus on Webster. No one would have known that First State had put members’ details at risk for years had it not been for Webster.
First State Super called the police and lawyers on Mr Webster and suspended online access to his account. Legal charges were only recently dropped.
NSW Acting Privacy Commissioner, John McAteer, reinforced the need to examine the legislating of mandatory breach notifications.
“First State Super’s privacy policy is very broad,” he said. “It does not outline how they will deal with a breach as soon as it is identified. For example, how and when people are notified about the breach and its rectifications.”
Members of First State Super are concerned about the lack of immediate communication about the breach.
Members only found out about the breach from media reports last week, nearly four weeks after the breach.
Current member, Hannah Hibbert said: “Although I was not one of those breached, First State should communicate to all members straightaway. I’m disappointed I had to find this out first from a journalist.”
By Su-Lin Tan