CyberCrimeSecuritySecurity Management

Australian Cloud Breach Exposes Government Staff Data

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

The personal details of tens of thousands of Australian government and banking staff exposed in latest breach

The steady exposure of damaging data breaches continues, with the latest taking place down under in Australia.

A breach at a unnamed contractor resulted in what is considered the second largest ever data breach in that country.

The largest breach in Australia actually took place this time last year, when hackers breached and leaked the personal data from Australia’s Red Cross Blood Service, leading to the details of 550,000 donors being exposed.

Whistleblower leak keyboard security breach © CarpathianPrince Shutterstock

S3 Bucket

But the fresh breach has resulted in the exposure of the personal records of 48,270 people, including staff of several Australian government agencies, banks and a utility.

The data breach reportedly happened because the data was left openly accessible as a result of a misconfigured Amazon S3 bucket, according to iTnews.

The records were apparently discovered by a Polish security researcher called Wojciech, who had been searching Amazon S3 buckets set to open, with “dev”, “stage”, or “prod” in the domain name, and containing specific file types like xls, zip, pdf, doc and csv.

Wojciech discovered that the Australian files which included full names, passwords, IDs, phone numbers, and email addresses, as well as some credit card numbers and details on staff salaries and expenses.

It was reported that the insurer AMP was the most impacted, with 25,000 staff records exposed as a result of the misconfiguration.

But Aussie utility UGL was also affected with 17,000 records exposed, while 1,500 staff data were discovered from Rabobank.

And it seems that several thousand government employee details were also leaked including 3,000 at the Department of Finance, 1,470 at the Australian Electoral Commission, and 300 at the National Disability Insurance Agency.

Wojciech apparently stumbled across database backups that had been made in March 2016, and he reportedly confirmed that most of the credit card numbers had already been cancelled, and that many of the records were available in duplicate.

“Once the Australian Cyber Security Centre (ACSC) became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability,” a spokesperson for the Department of Prime Minister and Cabinet (the parent agency for the Australian Cyber Security Centre) told iTnews.

“Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements,” the spokesperson reportedly said.

The Australian cyber agency urged any affected organisations to get in touch.

Data Protection

The latest breach has prompted at least one security expert to point out that organisations nowadays need to have people and resources dedicated to protecting and securing data.

“Time and time again we have seen that even the most basic of personal identifiable information puts people at risk,” said Jes Breslaw, director of strategy, EMEA at Delphix. “Names, addresses and contact information all hold money-making potential for opportunistic cyber criminals on the dark web.”

“In this instance, it appears a database backup was stored in the cloud, demonstrating a lack of control over data,” said Breslaw. “The scary truth is that most organisations have hundreds or even thousands of copies of databases with little or no knowledge or control where they reside and who has access to them.”

“This is why more and more companies are adopting a DataOps approach assigning dedicated people and tools to manage and secure data across an organisation,” said Breslaw. “A Dynamic Data Platform that embraces the core principles of DataOps enables data operators to know exactly what data is where, to be able to mask (anonymise) data that is not required for production systems, and to ensure that data consumers only have the data they require.”

Do you know all about security in 2017? Try our quiz!