The Department of Broadband last week went beyond its obligations by notifying Stay Smart Online subscribers that a DVD containing their username and password had been lost in the post, but what is surprising is that the notification came nearly four months after the likely date it realised the DVD was lost.
The Department late last Friday notified Stay Smart Online subscribers that a contractor—which it separately clarified was the Australian Computer Emergency Response Team (AusCERT) —had sent the DVD to the department via Express Post on April 11.
Australia Post “guarantees next business day delivery” and the ability for the sender and receiver to track a parcel with Express Post.
The DVD was an important one for the SSO service. AusCERT was handing over subscriber details after a contract it held since 2008 -- to provide “non-technical, easy to understand” security alerts to home users and SMEs—was awarded to two new contractors.
AusCERT’s contract ended on April 29, and the new contractors could not have taken over the service without the subscriber data.
Of course, AusCERT and the department could have arranged an alternative method of transferring up to 4GB of data from Queensland to Canberra but if that occurred, there must have been an awareness the DVD was probably lost by April 29.
In the scheme of serious data losses over the past year, this probably won’t rank that highly, but if the department knew about the loss in April and did not notify subscribers until July, it undermines the advice they give to subscribers.
Several factors reduce the potential harm that could come to subscribers. First, the details on the DVD were “cryptographically hashed”. The department also said it had “no reason to believe the information has been found and misused by any third party”. Lastly, the DVD was lost in the post, not stolen by hackers who may be looking specifically for username/passwords, and would likely have the knowledge to crack the hashed passwords.
On the other hand, the notification cautions that anyone who used the same username/password pairings for other services “may wish to consider whether these need to be changed”.
That’s pretty good advice in light of the 6.5 million cryptographically hashed but “unsalted” LinkedIn username and passwords that were leaked last month.
We don’t know if the passwords were “salted”, but the reason salting became an issue in that case was that whoever had the hashed passwords could conduct an “offline” attack on them.
Unfortunately for the subscribers however it would have been better advice if the disclosure occurred closer to the date of discovery.