[LINK] Super fund security breach lands good Samaritan in hot water

Scott Howard scott at doc.net.au
Wed Oct 19 10:27:05 AEDT 2011


On Tue, Oct 18, 2011 at 12:26 AM, Jan Whitaker <jwhit at melbpc.org.au> wrote:

> Super bad: First State set police on man who showed them how 770,000
> accounts could be ripped off
>
> http://www.theage.com.au/it-pro/security-it/super-bad-first-state-set-police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-off-20111018-1lvx1.html
>

It's always hard to know exactly which parts of articles like this to
believe, but if the following is true then IMHO he does have something to
answer to - even if it's just bad judgement :

*"To demonstrate the flaw to First State's IT staff, he wrote a script that
cycled through each ID number and pulled down the relevant report to his
computer. He confirmed that the vulnerability affected the firm's full
customer database."*

Downloading a small number of random reports is all that would have been
required to prove a problem existed.  There is absolutely no excuse for
downloading all ~770,000 (or even just a small percentage of them) - if that
really is what he did.

>From First State's perspective they would have to presume that he still has
copies of all of the reports he downloaded - which clearly requires action.

  Scott



More information about the Link mailing list