update As news surfaced of an alleged attack on the website of independent telecommunications retailer Allphones, it has also come to light that the company failed to secure its own business database, making a recent copy of it and its financial details publicly available.
Allphones was notified yesterday that its website is vulnerable to an SQL injection attack by SC Magazine. Such an attack, which security researchers have previously described as one of the most common methods of entry for hackers, could provide a hacker with the usernames and passwords of staff, and the email addresses and passwords of Allphones' customer loyalty-program participants, according to SC Magazine.
The company said it was investigating whether its customer loyalty database had been hacked using the SQL vulnerability.
"Allphones has detected a possible vulnerability of the Allphones website which may have enabled unauthorised access (hacking) of the Allphones Web Club [customer loyalty] database. The vulnerability has now been closed. Allphones' internal e-commerce team is closely monitoring all database activity. Allphones is in the process of investigating whether any hacking may have occurred to this database. We have handed the matter over to the Police to investigate the source of the hacking," the company said in a statement.
Further examination of Allphones' systems by ZDNet Australia revealed that the retailer has also been running an open FTP server. Before the sensitive information was deleted and anonymous access was revoked earlier this morning, the server allowed any user to log on anonymously. It contained spreadsheets that revealed the staffing levels for one of its stores, the rates of pay for its employees, sales and wages forecasts, sales budgets and key performance indicators.
Three other spreadsheets on the server, which appeared to be related to weekly sales figures and wages, were individually password protected, although this protection would have been trivial to break into, using any number of tools freely available on the internet.
The company said that the information had been used for training. "The snapshot you provided was part of a training toolkit and not operational material. The store shown in that snapshot has not operated for over 12 months," it said in a statement.
Spreadsheets contained past information, such as the hours that employees worked, and their wages.
(Screenshot by Michael Lee/ZDNet Australia)
The FTP server also contained a recent database dump from the enterprise resource management-planning software that the company uses: Pronto-Xi. Combined with the documentation on the FTP server and the installation files for the software, hackers may have had all they need to set up a duplicate of Allphones' database.
From the documentation and set-up files available on its FTP server, Allphones appears to have integrated Pronto-Xi with software from PC-EFTPOS to accept payments, putting more at stake than just company information.
Other files included a large zip archive labelled Microsoft Office 2007.
ZDNet Australia notified the IT manager of the open access, and this morning the company deleted the sensitive information from the server and revoked anonymous access to it.
A second FTP server running on another Allphones domain remains open, but contains no information.
The Australasian Mobile Telecommunications Group, which owns the Allphones brand, also has another open FTP server for one of its other brands, but it contains no information.
The company stressed that its customer loyalty database wasn't connected to Pronto. "Whilst it appears that there has been some unauthorised access to the website, this [Web Club] database is not connected to our carrier systems or back end system. It is not connected to Pronto," it said.
Nevertheless a Pronto-Xi dump of data was accessible from Allphones' FTP server, but has since been deleted.
Updated at 6.28pm, 7 March 2012: added comment from Allphones in paragraphs three, four, seven, 14 and 15.