568 reasons First State Super's security breach should worry you

I'm sure more than a few CSOs hugged their teddy bears a little tighter the night they heard about the penetration of FSS' information-security breach

I'm sure more than a few CSOs hugged their teddy bears a little tighter the night they heard about the penetration of First State Super's (FSS's) information-security breach and the man who instigated it with the kind of "attack" a nine-year-old might try.

But it worked, and the consequences are still becoming clear. In the course of a week, one small security leak has left 770,000 customers wondering whether their personal data has been breached, potentially cost a major superannuation operator a $23 million contract, and pitched the company into the fast lane towards a dramatic face-off with state and federal privacy regulators.

It's unlikely that Patrick Webster, the security consultant who started it all by informing FSS he could access any member's super statements by simply changing an index number in the retrieval URL, expected any of this would happen. Like any good citizen, he was only worried that because he had been able to access someone else's data, another person could just as easily access his.

While reporting it to the IT staff earned him some words of thanks, it was only when the news reached executives' ears that alarm bells started ringing – and loud. Financial services companies – especially those that are bidding for the rights to run superannuation funds administered on behalf of government employees, politicians, ASIO spies and lots of other people whose personal details are rightly sensitive information – live or die based on customers' trust in them. And the kind of vulnerability Webster dug up is not exactly the kind of thing that boosts customer confidence; were this the USA, the class action would already have been filed.

But all that should have been FSS's problem, not Webster's. After all, Good Samaritanism has a long and storied history within our society. If you pick up a syringe on a beach and give it to a lifeguard, he won't blame you for planting it there. If you perform an emergency tracheostomy to help a choking person breathe, you probably won't hear them complaining about the size of the scar. FSS wasn't so understanding: police were notified and came knocking on Webster's door, and lawyers started alleging that he’s guilty of computer trespass and is in deep doo-doo. FSS claimed it did nothing wrong and points the finger squarely at Webster, who professed his innocence and became a media target for several tense days – after which FSS began to relax its posture, then run and duck for cover before even telling its customers about the event. The company's current position is that it isn't going to prosecute Webster, but the story is still developing on a daily basis.

The thing is: FSS couldn't have responded in any other way. Particularly in our governance-obsessed financial system, once a security breach was discovered and known to have been exploited, the company's internal procedures would have kicked into operation. Failure for FSS directors to do exactly what they did, would have triggered a case for dereliction of their duties as directors – who are legally and ethically bound to manage the company's information-security profile amongst other controls.

They were, as the aphorism goes, damned if they did and damned if they don't. In a country with strict Privacy Act obligations for all companies, you can't admit that you failed to protect the confidential information of 770,000 customers and get away without some sort of punishment. And you certainly can't expect to get away scotch-free if, as one customer told the Sydney Morning Herald, the problem may have been in place, undetected, for more than 18 months. FSS's media release on the matter http://www.firststatesuper.com.au/SecurityOfMemberInformationUpdate is an attempt to manage the situation but its core precept is one of quiet desperation. "Only 568 member statements were viewed", the company pleaded, and I'm sure there was someone considering pointing out that that represents just 0.07% of all accounts. It's also 0.0026% of all Australians, or 0.000008% of the world's population. There? See? It's a really, really small amount so it was therefore not serious. Not at all.

Any security executive, however, knows it's 568 too many.

How do you measure the severity of a security breach? Is it by the number of records compromised? If Webster had viewed 1000 statements, or 10,000 statements, would his actions have somehow been more serious?

Of course not. The very existence of the fault reflects a fundamental failure in governance and procedure on the part of FSS; the type of "attack" Webster used, which required nothing more than changing a single digit of a URL, is taught in Security 101 and picked up years ago during routine testing. For something this simple to have slipped through the company's IT security radar means somebody wasn't paying attention when they needed to be.

Heads will no doubt roll within FSS once it figures out who managed this indefensible cockup. It's premature to speculate about potential punishments for breaching the Privacy Act, and I am not a lawyer. But it doesn't take a great legal mind to peruse the National Privacy Principles (NPP) and conclude that FSS is in clear breach of NPP 4, which mandates that "an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure".

It would be hard – and, at many levels, unconscionable – for FSS to argue that its IT security omissions had not violated NPP4, or that they were somehow less serious because "only" 568 accounts were compromised. What must be considered is the possibility that those 568 super records are lying on a hard drive somewhere along with hundreds of thousands of others as part of an identity-theft buffet available to the highest bidder.

If ever there were a case for centralised, robust security and extensive testing, this is it. There's no telling how the story will end – but we'll all be watching closely as it evolves from a late-night curiosity into a landmark case in Australia's corporate information security doctrine.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags information securitysecurityPatrick Webstersecurity breachFirst State Super (FSS)

More about ASIOFirst State

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place