568 reasons First State Super's security breach should worry you
- — 25 October, 2011 11:39
I'm sure more than a few CSOs hugged their teddy bears a little tighter the night they heard about the penetration of First State Super's (FSS's) information-security breach and the man who instigated it with the kind of "attack" a nine-year-old might try.
But it worked, and the consequences are still becoming clear. In the course of a week, one small security leak has left 770,000 customers wondering whether their personal data has been breached, potentially cost a major superannuation operator a $23 million contract, and pitched the company into the fast lane towards a dramatic face-off with state and federal privacy regulators.
It's unlikely that Patrick Webster, the security consultant who started it all by informing FSS he could access any member's super statements by simply changing an index number in the retrieval URL, expected any of this would happen. Like any good citizen, he was only worried that because he had been able to access someone else's data, another person could just as easily access his.
While reporting it to the IT staff earned him some words of thanks, it was only when the news reached executives' ears that alarm bells started ringing – and loud. Financial services companies – especially those that are bidding for the rights to run superannuation funds administered on behalf of government employees, politicians, ASIO spies and lots of other people whose personal details are rightly sensitive information – live or die based on customers' trust in them. And the kind of vulnerability Webster dug up is not exactly the kind of thing that boosts customer confidence; were this the USA, the class action would already have been filed.
But all that should have been FSS's problem, not Webster's. After all, Good Samaritanism has a long and storied history within our society. If you pick up a syringe on a beach and give it to a lifeguard, he won't blame you for planting it there. If you perform an emergency tracheostomy to help a choking person breathe, you probably won't hear them complaining about the size of the scar. FSS wasn't so understanding: police were notified and came knocking on Webster's door, and lawyers started alleging that he’s guilty of computer trespass and is in deep doo-doo. FSS claimed it did nothing wrong and points the finger squarely at Webster, who professed his innocence and became a media target for several tense days – after which FSS began to relax its posture, then run and duck for cover before even telling its customers about the event. The company's current position is that it isn't going to prosecute Webster, but the story is still developing on a daily basis.
The thing is: FSS couldn't have responded in any other way. Particularly in our governance-obsessed financial system, once a security breach was discovered and known to have been exploited, the company's internal procedures would have kicked into operation. Failure for FSS directors to do exactly what they did, would have triggered a case for dereliction of their duties as directors – who are legally and ethically bound to manage the company's information-security profile amongst other controls.
They were, as the aphorism goes, damned if they did and damned if they don't. In a country with strict Privacy Act obligations for all companies, you can't admit that you failed to protect the confidential information of 770,000 customers and get away without some sort of punishment. And you certainly can't expect to get away scotch-free if, as one customer told the Sydney Morning Herald, the problem may have been in place, undetected, for more than 18 months. FSS's media release on the matter http://www.firststatesuper.com.au/SecurityOfMemberInformationUpdate is an attempt to manage the situation but its core precept is one of quiet desperation. "Only 568 member statements were viewed", the company pleaded, and I'm sure there was someone considering pointing out that that represents just 0.07% of all accounts. It's also 0.0026% of all Australians, or 0.000008% of the world's population. There? See? It's a really, really small amount so it was therefore not serious. Not at all.
Any security executive, however, knows it's 568 too many.
How do you measure the severity of a security breach? Is it by the number of records compromised? If Webster had viewed 1000 statements, or 10,000 statements, would his actions have somehow been more serious?
Of course not. The very existence of the fault reflects a fundamental failure in governance and procedure on the part of FSS; the type of "attack" Webster used, which required nothing more than changing a single digit of a URL, is taught in Security 101 and picked up years ago during routine testing. For something this simple to have slipped through the company's IT security radar means somebody wasn't paying attention when they needed to be.
Heads will no doubt roll within FSS once it figures out who managed this indefensible cockup. It's premature to speculate about potential punishments for breaching the Privacy Act, and I am not a lawyer. But it doesn't take a great legal mind to peruse the National Privacy Principles (NPP) and conclude that FSS is in clear breach of NPP 4, which mandates that "an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure".
It would be hard – and, at many levels, unconscionable – for FSS to argue that its IT security omissions had not violated NPP4, or that they were somehow less serious because "only" 568 accounts were compromised. What must be considered is the possibility that those 568 super records are lying on a hard drive somewhere along with hundreds of thousands of others as part of an identity-theft buffet available to the highest bidder.
If ever there were a case for centralised, robust security and extensive testing, this is it. There's no telling how the story will end – but we'll all be watching closely as it evolves from a late-night curiosity into a landmark case in Australia's corporate information security doctrine.