On 2 November, the Australian Labor Party’s Shadow Minister for the Digital Economy, Ed Husic, took the Federal Government to task over the latest high profile data breach to hit a public sector enterprise this year.
“This is a serious and dramatic event. No one should underplay how big a deal this is,” Husic told Sky News from the Australian Computer Society’s Reimagination 2017 event in Sydney.
“It’s really hard for the government to tell business and the broader community that they’ve got to get their act together on cyber security when they can’t demonstrate a similar degree of seriousness themselves,” he said.
At the same time, Husic conceded that, “more often than not it’s not the tech that lets you down, it’s the people and the processes,” suggesting that human error is largely responsible for the type of data breach that made headlines in early November, with reports suggesting that almost 50,000 personal records were made publicly accessible due to a misconfigured Amazon S3 bucket.
First reported by media outlet, iTnews, on 2 November, the breach – which is thought to be Australia’s second-largest to date after last year’s breach of a database file containing information relating to around 550,000 prospective blood donors – hit several government and private sector entities.
It was reported that the details of thousands of employees from the likes of the Australian Electoral Commission (AEC), the Department of Finance and insurance firm, AMP, were compromised.
The compromised records were reportedly discovered by a Polish security researcher who goes by the name, Wojciech, after searching the internet for Amazon S3 buckets containing sensitive data that had been inadvertently left open and accessible.
The cloud-hosted database backups were made in 2016, according to iTnews.
In the words of Amazon, the cloud vendor’s S3 object storage offering provides “comprehensive security and compliance capabilities that meet even the most stringent regulatory requirements”. In this instance, the breach occurred as a result of human error.
In this case, it is understood that the human error occurred via an outside contractor, with evidence to suggest that it may have been just one contractor behind the breach.
Certainly, the Federal Government’s Department of the Prime Minister and Cabinet (DPMC), speaking on behalf of four affected Government departments, has laid the blame at the feet of an unnamed external contractor.
“The Australian Government is aware of a data breach involving a third party contractor engaged to provide expense management services,” the Department told ARN.
According to the DPMC, the Australian Cyber Security Centre (ACSC) was alerted to the breach in the first week of October and immediately contacted the external contractor to secure the information and remove the vulnerability within hours of notification.
At the same time, the Department has stressed that the exposed data did not contain any national security information, classified material, or Australian Government customer data.
“The data exposed was historical, archived and partially anonymised data,” the spokesperson said. “It contained limited personally identifiable information of government employees such as work email addresses, and in some cases Australian Government Service numbers and corporate credit card details.
“The bulk of credit card information within the data set had already expired,” it said. “The departments involved have been notifying affected staff and working to give them appropriate support.”
Meanwhile, AMP also conceded that a limited amount of company data, related to internal staff expenses, was inadvertently stored in a publicly available cloud service by a third-party supplier.
“The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed. The data did not include any salary details of employees. No customer data was compromised at any time,” a spokesperson for the company told ARN.
At the same time, AMP said that it has “strict policies” in place regarding the handling of data by third party vendors.
“We are reviewing the situation to ensure standards are maintained,” it said.
Read more on the next page...