Posted on November 2, 2017 at 4:44 PM
Thousands of Australians’ private information was exposed after an Amazon S3 misconfiguration.
The latest accidental data leak scandal has left the private information of thousands of Australians exposed to any online user. The latest data leak has been described as being the most severe since the country’s Red Cross breach in 2016, which targeted Australian government employees as well as notable private companies.
The leaked data included information such as ID numbers, financial information such as credit card details, contact information including phone numbers, and salary information amongst others. According to reports, the data was rendered vulnerable following a misconfiguration on the system’s Amazon S3 bucket. So far it is suspected that the bucket was not properly secured an unnamed third-party contractor.
IT News reported that the data leak was reported by Polish security expert, known as Wojciech. Further investigation revealed that the data leak affected over 3000 Australians employed by the Department of Finance, 1470 employees of the Australian Electoral Commission, and 300 employees from the National Disability Insurance Agency. In addition to these governmental institutions, certain private firms were also targeted, including 17 000 employees from Utility UGL as well as 1500 employees from Rabobank.
The most affected firm to date is undoubtedly the financial service provider, AMP. The data leak affected over 25,000 of the firm’s employees.
In a press statement, AMP stated that a small amount of the firm’s data had been left vulnerable. Most of the exposed data pertaining to AMP included detailed staff expenses. According to the firm, the breach happened without their knowledge, and the firm also named a third-party contractor as the cause of the breach.
An AMP spokesperson stated that the mistake was immediately rectified once it had been reported. In addition, affected organizations and firms have launched an investigation to ensure that no client information was exposed in the process.
The spokesperson confirmed that only the firm’s employees were affected, and not their clients. In addition, the spokesperson emphasized AMP’s commitment to security and stressed that the firm is taking the latest breach very seriously and that they intend to review the latest data leak to address security standards and concerns.
According to the spokesperson for the Australian Cyber Security Centre (ACSC), once the agency was notified of the data breach, they immediately took steps to rectify the security breach. This included contacting the responsible third-party contractor, in order to restore the data to a secured status. Since this problem has been addressed the ACSC has been working together with affected government agencies to prevent similar breaches in the future.
Wojciech stated that he notified both the Australian defense department as well as AMP during October, but stated that AMP failed to respond. So far it is not yet certain how long the data was left exposed or who accessed the data.