[LINK] Super fund security breach lands good Samaritan in hotwater

Tom Koltai tomk at unwired.com.au
Wed Oct 19 13:10:48 AEDT 2011

> -----Original Message-----
> From: link-bounces at mailman.anu.edu.au 
> [mailto:link-bounces at mailman.anu.edu.au] On Behalf Of Scott Howard
> Sent: Wednesday, 19 October 2011 9:27 AM
> To: Jan Whitaker
> Cc: privacy at lists.efa.org.au; link at anu.edu.au
> Subject: Re: [LINK] Super fund security breach lands good 
> Samaritan in hotwater
> On Tue, Oct 18, 2011 at 12:26 AM, Jan Whitaker 
> <jwhit at melbpc.org.au> wrote:
> > Super bad: First State set police on man who showed them 
> how 770,000 
> > accounts could be ripped off
> >
> > 
> http://www.theage.com.au/it-pro/security->
> > 
> police-on-man-who-showed-them-how--770000-accounts-could-be-ripped-off
> > -20111018-1lvx1.html
> >
> It's always hard to know exactly which parts of articles like 
> this to believe, but if the following is true then IMHO he 
> does have something to answer to - even if it's just bad judgement :
> >From First State's perspective they would have to presume 
> that he still 
> >has
> copies of all of the reports he downloaded - which clearly 
> requires action.
>   Scott

Not-withstanding the logic - i.e.: 3 customer accounts would have
demonstrated the accessibility problem adequately... 

The Cynic in me with over thirty-five years of observing banks reactions
to security matters makes the following anecdotal observations...

3 Customers can be explained away as a system anomaly...
But there is no way the bank can adequately refute 700,000 customer
records as a temporary "system anomaly".

Possibly the banks management had their ego's out of joint when they
couldn't play the "computer glitch" card in the face of overwhelming
evidence and decided to get back at the source of their embarrassment.

This in fact is an excellent demonstration of why most bank fraud is
never publicized - i.e.: the resulting negative churn rate generated.

I wonder how many First state customers are moving their portfolios' to
ING or some such other bank that doesn't have such an easily spoofed
client data look-up process.

Dobbing in the "good Samaritan" probably cost First State several
million dollars in :

A) current lost customer accounts
B) public negative perception leading to future lost business
C) a software and systems rewrite to hide the identifying SQL sequence
behind at least a Hash of some sort.

AND... A couple of senior executive "retirements".


More information about the Link mailing list