Emmanuel Marshall 03 November 2017 14:28:11 AEDT 5 MIN READ

50,000 Employee Files Exposed by Server Security Error

Another reminder this week of the vital importance of securing sensitive data and IP. 
Just as we were shaking our collective heads at the misfortunes of Equifax and their data breach - which saw the personal details of millions of individuals leaked online - another breach has come to light that has exposed the personal details of nearly 50,000 government and corporate employees.

A breaking story in Australia, first reported yesterday by IT News, has revealed that 48,270 sensitive personal data records have been exposed, including credit card numbers, salary information, passwords, ID data, email addresses and phone numbers.

This is Australia’s second largest data breach, according to IT News, after the 550,000 Red Cross blood donor records that were compromised in 2016.

How to Protect Against Human Error?

This latest large-scale data breach was discovered by a security researcher in Poland, identified only as ‘Wojciech’. Wojciech was searching the internet for Amazon s3 buckets containing sensitive data, that had been left open accidentally.

The term ‘Amazon s3 buckets’ might not mean much to you - they weren’t on my radar until today - but apparently, these things are a gold mine for cybercriminals if they aren’t set up properly.

I asked one of the tech experts here in our threat detection team - about Amazon s3 buckets and what he told me was a real eye-opener.

A few big vendors - Amazon among them - offer cloud-based storage services to business; server space where they can set up file storage that’s accessible remotely. These storage servers - known as s3 buckets - can be configured to allow only password protected use, or they can be public, for things like email signature graphics that are not a security issue.

It’s not clear yet exactly what happened in this specific case, but most likely the exposure of these sensitive files resulted from human error. Somebody setting up the s3 buckets for these organizations - probably a third party contractor - simply forgot to configure the security settings properly, so instead of only allowing access to specified users, the files were available for anyone to download at will.  


What’s the Damage?

According to IT News’ post, about 43,000 corporate employee records were out in the open.

  • About 25,000 staff records belonging to the insurer AMP,
  • 17,000 data records from the utility UGL, and
  • 1,500 records from Rabobank

In addition, the exposure included:

  • 3,000 documents from the Australian Department of Finance,
  • 1,470 records from the Australian Electoral Commission, and 
  • 300 records from the National Disability Insurance Agency

The only good news here is that this database was from 2016, so many of the credit card details included were expired - but that’s cold comfort for the employees of these organizations who believed their data was secure.

IT News quoted a statement by the Department of Prime Minister and Cabinet - the parent agency for the Australian Cyber Security Centre - in response to this breach:

"Once the Australian Cyber Security Centre (ACSC) became aware of the situation, they immediately contacted the external contractor and worked with them to secure the information and remove the vulnerability. Now that the information has been secured, the ACSC and affected government agencies have been working with the external contractor to put in place effective response and support arrangements." The ACSC declined to name the contractor involved.

A spokesperson for AMP is quoted in the IT News article saying:

"The mistake was quickly corrected once identified and the matter investigated to ensure all data had been removed. No customer data was compromised at any time. AMP treats data security very seriously and has strict policies in place regarding the handling of data with third-party vendors. We are reviewing the situation to ensure standards are maintained."


Can This Kind of Problem be Avoided? 

This situation raises issues around the responsibility for cybersecurity. How do you protect against the kind of human error that seems to have caused this breach? 
Is it even possible to keep track of all the obscure and multitudinous repositories of data that are tucked away in hidden corners of cyberspace? If a Polish researcher can discover this stuff, it’s also possible for cybercriminals to get hold of it. 

According to IT News, Wojciech notified AMP and the Defense Department about his discovery of the exposed s3 bucket back in early October. He got a response from the Australian Government saying that they were working with the relevant contractor to close the breach. 

Starting in February 2018 organizations will be legally obliged to report all data breaches of this kind to the Office of the Australian Information Commissioner. 

This latest incident is unusual because the data breach stemmed from a server vulnerability, but the fact that human error was probably involved is a familiar theme. 9 out of 10 cyber-incidents start with a malignant email that is trying to prey on human curiosity and carelessness. People are usually the weakest link in any I.T. system. Education is the key to better awareness of cybersecurity issues and companies and governments are working hard to improve protection for sensitive data.

Stay informed on breaking scam news. Subscribe to MailGuard's free weekly updates by clicking on the button below:

Keep Informed with Weekly Updates