[LINK] Super fund security breach lands good Samaritan in hot water

Jan Whitaker jwhit at melbpc.org.au
Thu Oct 20 18:30:38 AEDT 2011

At 06:26 PM 18/10/2011, Jan Whitaker wrote:
>Super bad: First State set police on man who showed them how 770,000
>accounts could be ripped off

New article: - Note the finger pointing - Yes we did, no you didn't!

Claims First State Super flaw ignored for 'years'

  Asher Moses
  October 20, 2011 - 12:09PM

The company that manages the day-to-day operations of First State 
Super denies claims by a former IT staffer that it knew of a major 
security flaw that potentially exposed 770,000 member details years 
ago and did nothing.

The flaw, exposed by IT security consultant Patrick Webster, allowed 
members to access other members' statements simply by changing a 
number in the URL bar.

This exposed members - predominantly public servants including 
police, politicians and magistrates - to identity theft due to the 
sensitivity of the personal details that were revealed, including 
full names, addresses, email addresses, membership number, age, 
insurance information, superannuation amount, fund allocations, 
beneficiaries and employer information.

Pillar Administration administers the day-to-day operations of First 
State Super including customer service, maintaining its member 
records and websites, processing employer and member contributions 
and paying benefits.

A source, who Fairfax Media has confirmed worked on Pillar's 
technology team for several years but left earlier this year, said on 
condition of anonymity that Pillar was aware of the security flaw for 
about two years but did nothing. He said Pillar hosted on its servers 
First State's online membership system and statements.

''It was actually a known issue - people knew about it and it was 
discussed ... I remember we were talking about implementing some of 
the special security standards,'' the source said.

So why wasn't the bug fixed? ''I don't know why, probably time 
constraints ... we get told what to do by management,'' the source said.

A Pillar spokesman denied the allegations. ''It's garbage - we fixed 
this thing in a matter of hours so why would we sit on it for years? 
Makes no sense, there's no logic.''

The source's information contradicts statements released by First 
State Super in the wake of the breach, which has sparked 
investigations by both the NSW and Federal Privacy Commissioners.

In a media statement released yesterday, First State Super claimed it 
''immediately corrected'' the security fault in its website ''as soon 
as the problem was identified in late September 2011''.

It claims the only statements that were accessed without permission 
were the 568 downloaded by Webster when he was testing the security flaw.

First State Super chief executive Michael Dwyer claims he has logs 
which definitively show that no one aside from Webster exploited the 
flaw to access statements other than their own. He claimed the 
company had received alerts when Webster was accessing the statements.

''We were in fact already investigating these alerts when Webster 
contacted us,'' he said.

''We have checked our log of alerts going back to when online 
statements were first introduced and there has never been any other 
such alerts other than for when Webster read other members annual statements.

''We are therefore absolutely confident that this has been the only 
breach of privacy that has occurred and why we have only written to 
the members whose statements were accessed to alert them of this 
privacy breach.''

But the former Pillar IT staff member said there ''no controls that 
produce security or privacy alerts'', and the only alerts that were 
produced were technical system errors.

''Access to statements are logged ... however, the fact that another 
member A accesses the statement of member B does not trigger an 
'alert' - so that part is total rubbish,'' the Pillar source said.

One First State customer who contacted Fairfax Media said they 
stumbled across the security flaw while checking their statement more 
than 18 months ago. ''I discovered the problem completely by 
accident,'' the customer said.

Dwyer did not return calls this morning. But Pillar this morning 
insisted that the company has for years been set up to receive alerts 
when a member accessed another member's statement. Pillar said the 
source was a ''disenfranchised employee making ridiculous claims''.

''When Webster hacked into the annual statements we got an error or 
an alert ... because of this we went back in our logs for nearly two 
years because that's when this code was first introduced and there 
were no technical alerts that were of the same nature,'' the spokesman said.

But Pillar's spokesman could not explain why there was no alert when 
the customer quoted in this article accidentally stumbled across the 
bug long before Webster. It is not clear how many other customers did the same.

The superannuation industry is regulated by the Australian Prudential 
Regulation Authority. A spokesman for APRA said he could not comment 
on the matter because ''a secrecy provision in the APRA Act prevents 
us from'' commenting on the institutions that it regulates.

APRA's oversight of the industry extends to ensuring firms adequately 
manage IT risks.

A ''prudential practice guide'' on the management of security risk in 
information technology by superannuation firms (PDF) is published on 
APRA's website. ''Controls, commensurate with the sensitivity and 
criticality of the data/information involved, would normally be 
implemented where sensitive data/information is at risk of leakage,'' 
the guidelines around access controls state.

The security breach is not the first time First State Super has hit 
the headlines in recent months. The super fund was caught up in the 
saga involving former head of the Health Services Union Michael 
Williamson and federal MP Craig Thomson.

Williamson, who with Thomson is being investigated by police for 
allegedly receiving secret commissions from a major union supplier, 
is a director of First State Super.

Williamson has stepped down from his positions at HSU and First State 
Super until the matter is resolved.

''Mr Williamson has requested that he be absented from all Board and 
Committee meetings for the next three months until these matters are 
resolved,'' Dwyer said in an email to a customer, seen by Fairfax Media.

Do you know more? asher.moses at smh.com.au

  This reporter is on Twitter: @ashermoses

This story was found at: 

Melbourne, Victoria, Australia
jwhit at janwhitaker.com
blog: http://janwhitaker.com/jansblog/
business: http://www.janwhitaker.com

Our truest response to the irrationality of the world is to paint or 
sing or write, for only in such response do we find truth.
~Madeline L'Engle, writer

_ __________________ _

More information about the Link mailing list