[LINK] Super fund security breach lands good Samaritan in hot water
jwhit at melbpc.org.au
Thu Oct 20 18:30:38 AEDT 2011
At 06:26 PM 18/10/2011, Jan Whitaker wrote:
>Super bad: First State set police on man who showed them how 770,000
>accounts could be ripped off
New article: - Note the finger pointing - Yes we did, no you didn't!
Claims First State Super flaw ignored for 'years'
October 20, 2011 - 12:09PM
The company that manages the day-to-day operations of First State
Super denies claims by a former IT staffer that it knew of a major
security flaw that potentially exposed 770,000 member details years
ago and did nothing.
The flaw, exposed by IT security consultant Patrick Webster, allowed
members to access other members' statements simply by changing a
number in the URL bar.
This exposed members - predominantly public servants including
police, politicians and magistrates - to identity theft due to the
sensitivity of the personal details that were revealed, including
full names, addresses, email addresses, membership number, age,
insurance information, superannuation amount, fund allocations,
beneficiaries and employer information.
Pillar Administration administers the day-to-day operations of First
State Super including customer service, maintaining its member
records and websites, processing employer and member contributions
and paying benefits.
A source, who Fairfax Media has confirmed worked on Pillar's
technology team for several years but left earlier this year, said on
condition of anonymity that Pillar was aware of the security flaw for
about two years but did nothing. He said Pillar hosted on its servers
First State's online membership system and statements.
''It was actually a known issue - people knew about it and it was
discussed ... I remember we were talking about implementing some of
the special security standards,'' the source said.
So why wasn't the bug fixed? ''I don't know why, probably time
constraints ... we get told what to do by management,'' the source said.
A Pillar spokesman denied the allegations. ''It's garbage - we fixed
this thing in a matter of hours so why would we sit on it for years?
Makes no sense, there's no logic.''
The source's information contradicts statements released by First
State Super in the wake of the breach, which has sparked
investigations by both the NSW and Federal Privacy Commissioners.
In a media statement released yesterday, First State Super claimed it
''immediately corrected'' the security fault in its website ''as soon
as the problem was identified in late September 2011''.
It claims the only statements that were accessed without permission
were the 568 downloaded by Webster when he was testing the security flaw.
First State Super chief executive Michael Dwyer claims he has logs
which definitively show that no one aside from Webster exploited the
flaw to access statements other than their own. He claimed the
company had received alerts when Webster was accessing the statements.
''We were in fact already investigating these alerts when Webster
contacted us,'' he said.
''We have checked our log of alerts going back to when online
statements were first introduced and there has never been any other
such alerts other than for when Webster read other members annual statements.
''We are therefore absolutely confident that this has been the only
breach of privacy that has occurred and why we have only written to
the members whose statements were accessed to alert them of this
But the former Pillar IT staff member said there ''no controls that
produce security or privacy alerts'', and the only alerts that were
produced were technical system errors.
''Access to statements are logged ... however, the fact that another
member A accesses the statement of member B does not trigger an
'alert' - so that part is total rubbish,'' the Pillar source said.
One First State customer who contacted Fairfax Media said they
stumbled across the security flaw while checking their statement more
than 18 months ago. ''I discovered the problem completely by
accident,'' the customer said.
Dwyer did not return calls this morning. But Pillar this morning
insisted that the company has for years been set up to receive alerts
when a member accessed another member's statement. Pillar said the
source was a ''disenfranchised employee making ridiculous claims''.
''When Webster hacked into the annual statements we got an error or
an alert ... because of this we went back in our logs for nearly two
years because that's when this code was first introduced and there
were no technical alerts that were of the same nature,'' the spokesman said.
But Pillar's spokesman could not explain why there was no alert when
the customer quoted in this article accidentally stumbled across the
bug long before Webster. It is not clear how many other customers did the same.
The superannuation industry is regulated by the Australian Prudential
Regulation Authority. A spokesman for APRA said he could not comment
on the matter because ''a secrecy provision in the APRA Act prevents
us from'' commenting on the institutions that it regulates.
APRA's oversight of the industry extends to ensuring firms adequately
manage IT risks.
A ''prudential practice guide'' on the management of security risk in
information technology by superannuation firms (PDF) is published on
APRA's website. ''Controls, commensurate with the sensitivity and
criticality of the data/information involved, would normally be
implemented where sensitive data/information is at risk of leakage,''
the guidelines around access controls state.
The security breach is not the first time First State Super has hit
the headlines in recent months. The super fund was caught up in the
saga involving former head of the Health Services Union Michael
Williamson and federal MP Craig Thomson.
Williamson, who with Thomson is being investigated by police for
allegedly receiving secret commissions from a major union supplier,
is a director of First State Super.
Williamson has stepped down from his positions at HSU and First State
Super until the matter is resolved.
''Mr Williamson has requested that he be absented from all Board and
Committee meetings for the next three months until these matters are
resolved,'' Dwyer said in an email to a customer, seen by Fairfax Media.
Do you know more? asher.moses at smh.com.au
This reporter is on Twitter: @ashermoses
This story was found at:
Melbourne, Victoria, Australia
jwhit at janwhitaker.com
Our truest response to the irrationality of the world is to paint or
sing or write, for only in such response do we find truth.
~Madeline L'Engle, writer
_ __________________ _
More information about the Link