[LINK] Super fund security breach lands good Samaritan in hot water

Jan Whitaker jwhit at melbpc.org.au
Tue Oct 18 18:26:20 AEDT 2011

Super bad: First State set police on man who showed them how 770,000 
accounts could be ripped off

 From the article:
Asked whether the legal letter was heavy-handed given that Webster 
could have just as easily released the vulnerability to the hacking 
community, Dwyer said First State Super approached police as a matter 
of course when there was a privacy breach. [PRIVACY breach? This was 
a security breach. They report to the police, which is good, but 
makes me wonder if this is standard practice.]

He said Webster's actions were more serious because he did not just 
access his own or a mate's account, but hundreds of other customer 
accounts, to prove the security flaw was real.

"While we were appreciative of him showing us a weakness in our 
security systems the size of the downloads concerned us greatly and 
the fact that it was a major breach of the privacy provisions of our 
members," Dwyer said in a phone interview.
Dwyer acknowledged that the fact that the account information was 
exposed, potentially opening up members to identity theft, was 
"disappointing". But he said checks thus far had indicated that no 
one else had accessed the files in the way Webster had. [how in the 
heck would he know?? it was a matter of just changing the numbers in 
the URL. I guess they could scan their logs???]

NSW Police said it was not taking any further action on this matter. 
"There was no criminal offence committed and the company in question 
has been informed of the outcome. It was more a case of a 
civic-minded person reporting a potential security breach."

The Office of the Privacy Commissioner did not respond to a request 
for comment.

[At least the police used common sense!]

Melbourne, Victoria, Australia
jwhit at janwhitaker.com
blog: http://janwhitaker.com/jansblog/
business: http://www.janwhitaker.com

Our truest response to the irrationality of the world is to paint or 
sing or write, for only in such response do we find truth.
~Madeline L'Engle, writer

_ __________________ _

More information about the Link mailing list